AWS eventbridge high security documentation change
Summary
Replaced pipe creation/update instructions with detailed documentation about encryption context usage and KMS key policies. Added example policies with condition keys for resource-based access control and logging service permissions.
Security assessment
The changes add security-focused documentation about encryption context binding for audit purposes and implement key policy conditions to prevent confused deputy issues. Specific evidence includes added Condition blocks with 'kms:EncryptionContext:aws:pipe:arn' restrictions and explicit security best practice recommendations for key policies.
Diff
diff --git a/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md index 540baf5ae..033e77aa9 100644 --- a/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md +++ b/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md @@ -3 +3 @@ -Set encryption when creating a pipeUpdate encryption on a pipe +Encryption contextPipe key policy @@ -18 +18 @@ The pipe data EventBridge encrypts at rest includes: -## Specifying the AWS KMS key used for encryption when creating a pipe +## EventBridge Pipes encryption context @@ -20 +20 @@ The pipe data EventBridge encrypts at rest includes: -Choosing the AWS KMS key used for encryption is an option creating a pipe. The default is to use the AWS owned key provided by EventBridge. +An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is a set of key–value pairs that contain arbitrary nonsecret data. When you include an encryption context in a request to encrypt data, AWS KMS cryptographically binds the encryption context to the encrypted data. To decrypt the data, you must pass in the same encryption context. @@ -22 +22 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d -###### To specify a customer managed key for encryption when creating a pipe (console) +You can also use the encryption context as a condition for authorization in policies and grants. @@ -24 +24 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d - * Follow these instructions: +If you use a customer managed key to protect your EventBridge resources, you can use the encryption context to identify use of the KMS key in audit records and logs. It also appears in plaintext in logs, such as [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) and [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html). @@ -26 +26 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d -[Creating a pipe](./eb-pipes-create.html). +For EventBridge Pipes, EventBridge uses the same encryption context in all AWS KMS cryptographic operations. The context includes a single key–value pair, which contains the pipe ARN. @@ -28,0 +29,3 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d + "encryptionContext": { + "kms:EncryptionContext:aws:pipes:arn": "pipe-arn" + } @@ -29,0 +33 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d +For vended logs, EventBridge uses the following encryption context. @@ -31 +34,0 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d -###### To specify a customer managed key for encryption when creating a pipe (CLI) @@ -33 +36,3 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d - * When calling `[create-pipe](https://docs.aws.amazon.com/cli/latest/reference/pipes/create-pipe.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encryption on the event bus. + "encryptionContext": { + "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*" + } @@ -34,0 +40 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d +## AWS KMS key policy for EventBridge Pipes @@ -35,0 +42 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d +The following example key policy provides the required permissions for a pipe: @@ -36,0 +44 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d + * `kms:DescribeKey` @@ -38 +46 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d -## Updating the AWS KMS key used for encryption on EventBridge Pipes + * `kms:GenerateDataKey` @@ -40 +48 @@ Choosing the AWS KMS key used for encryption is an option creating a pipe. The d -You can update the AWS KMS key being used for encryption at rest on an existing pipe. This includes: + * `kms:Decrypt` @@ -42 +49,0 @@ You can update the AWS KMS key being used for encryption at rest on an existing - * Changing from the default AWS owned key to a customer managed key. @@ -44 +50,0 @@ You can update the AWS KMS key being used for encryption at rest on an existing - * Changing from a customer managed key to the default AWS owned key. @@ -46 +51,0 @@ You can update the AWS KMS key being used for encryption at rest on an existing - * Changing from one customer managed key to another. @@ -47,0 +53 @@ You can update the AWS KMS key being used for encryption at rest on an existing +As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the KMS key only for the specified resource or account. For more information, see [Security considerations](./eb-encryption-key-policy.html#eb-encryption-event-bus-confused-deputy). @@ -49,0 +56,28 @@ You can update the AWS KMS key being used for encryption at rest on an existing + { + "Id": "CMKKeyPolicy", + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::account-id:role/pipe-execution-role" + }, + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt", + "kms:DescribeKey" + ], + "Resource": "*", + "Condition": { + "ArnLike": { + "kms:EncryptionContext:aws:pipe:arn": "arn:aws:pipes:region:account-id:pipe/pipe-name" + }, + "ForAnyValues:StringEquals": { // Requires that only PipeArn is passed in the encryption context + "kms:EncryptionContextKeys": [ + "aws:pipe:arn" + ] + } + } + } + ] + } @@ -51 +84,0 @@ You can update the AWS KMS key being used for encryption at rest on an existing -When you update a pipe to use a different AWS KMS key, EventBridge decrypts any data stored on the pipe and then encrypts it using the new key. @@ -53 +86 @@ When you update a pipe to use a different AWS KMS key, EventBridge decrypts any -###### To update the KMS key used for encryption on a pipe (console) +### Permissions for pipe logs that include execution data @@ -55 +88 @@ When you update a pipe to use a different AWS KMS key, EventBridge decrypts any - 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). +If you have configured pipes logging to include execution data, the key policy must include the following permissions for the logging service: @@ -57 +90 @@ When you update a pipe to use a different AWS KMS key, EventBridge decrypts any - 2. In the navigation pane, choose **Pipes**. + * `kms:Decrypt` @@ -59 +92 @@ When you update a pipe to use a different AWS KMS key, EventBridge decrypts any - 3. Choose the pipe you want to update. + * `kms:GenerateDataKey` @@ -61 +93,0 @@ When you update a pipe to use a different AWS KMS key, EventBridge decrypts any - 4. On the pipe bus details page, choose the **Encryption** tab. @@ -63 +94,0 @@ When you update a pipe to use a different AWS KMS key, EventBridge decrypts any - 5. Choose the KMS key for EventBridge to use when encrypting the data stored on pipe: @@ -65 +95,0 @@ When you update a pipe to use a different AWS KMS key, EventBridge decrypts any - * Choose **Use AWS owned key** for EventBridge to encrypt the data using an AWS owned key. @@ -67 +97 @@ When you update a pipe to use a different AWS KMS key, EventBridge decrypts any -This AWS owned key is a KMS key that EventBridge owns and manages for use in multiple AWS accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice. +For more information, see [Including execution data in EventBridge Pipes logs](./eb-pipes-logs.html#eb-pipes-logs-execution-data). @@ -69 +99 @@ This AWS owned key is a KMS key that EventBridge owns and manages for use in mul -This is the default. +The following example key policy provides the required permissions for pipes logging: @@ -71 +100,0 @@ This is the default. - * Choose **Use customer managed key** for EventBridge to encrypt the data using the customer managed key that you specify or create. @@ -73 +102,17 @@ This is the default. -Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys. + { + "Sid": "Enable log service encryption", + "Effect": "Allow", + "Principal": { + "Service": "delivery.logs.amazonaws.com" + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*" + } + } + } @@ -75 +120 @@ Customer managed keys are KMS keys in your AWS account that you create, own, and - 1. Specify an existing customer managed key, or choose **Create a new KMS key**. +In addition, the pipe execution role requires the `kms:GenerateDataKey` permisson. @@ -77 +121,0 @@ Customer managed keys are KMS keys in your AWS account that you create, own, and -EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key. @@ -78,0 +123,16 @@ EventBridge displays the key status and any key aliases that have been associate + { + "Sid": "Enable log service encryption", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::account:role/pipe-execution-role" + }, + "Action": [ + "kms:GenerateDataKey" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*" + } + } + } @@ -79,0 +140 @@ EventBridge displays the key status and any key aliases that have been associate +The pipe execution role should also include: @@ -82,6 +143,9 @@ EventBridge displays the key status and any key aliases that have been associate -###### To update the KMS key used for encryption on a pipe (CLI) - - * When calling `[update-pipe](https://docs.aws.amazon.com/cli/latest/reference/pipes/update-pipe.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encrypting pipe data. - - - + "Action": [ + "kms:GenerateDataKey" + ], + "Resource": "key-arn", + "Condition": { + "StringLike": { + "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*" + } + } @@ -97 +161 @@ Decrypting DLQ events -Tag-based policies +Configuring pipe encryption