AWS kms high security documentation change
Summary
Added guidance for IPv6 address handling in IAM/KMS policies with explicit examples
Security assessment
Addresses potential authorization gaps by requiring explicit IPv6 ranges in policies to prevent unintended access when using dual-stack networks
Diff
diff --git a/kms/latest/developerguide/conditions-aws.md b/kms/latest/developerguide/conditions-aws.md index 849fdf65c..472495322 100644 --- a//kms/latest/developerguide/conditions-aws.md +++ b//kms/latest/developerguide/conditions-aws.md @@ -5 +5 @@ -Using the IP address conditionUsing VPC and VPC endpoint conditions +Using the IP address conditionUsing VPC and VPC endpoint conditionsUsing IPv6 addresses in IAM and KMS key policies @@ -24,0 +25,2 @@ The following topics provide special guidance for using condition keys based on + * Using IPv6 addresses in IAM and KMS key policies + @@ -43 +45 @@ Step 2 fails because the request to AWS KMS to decrypt the volume's encrypted da -Also, the `aws:sourceIP` condition key is not effective when the request comes from an [Amazon VPC endpoint](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html). To restrict requests to a VPC endpoint, including an [AWS KMS VPC endpoint](./kms-vpc-endpoint.html), use the `aws:sourceVpce` or `aws:sourceVpc` condition keys. For more information, see [VPC Endpoints - Controlling the Use of Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html#vpc-endpoints-iam-access) in the _Amazon VPC User Guide_. +Also, the `aws:SourceIP` condition key is not effective when the request comes from an [Amazon VPC endpoint](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html). To restrict requests to a VPC endpoint, including an [AWS KMS VPC endpoint](./kms-vpc-endpoint.html), use the `aws:SourceVpce` or `aws:SourceVpc` condition keys. For more information, see [VPC Endpoints - Controlling the Use of Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html#vpc-endpoints-iam-access) in the _Amazon VPC User Guide_. @@ -59,0 +62,47 @@ Take care to avoid a situation like the IP address condition keys example. If yo +## Using IPv6 addresses in IAM and KMS key policies + +Before trying to access KMS over IPv6, ensure any key and IAM policies containing IP address restrictions are updated to include IPv6 address ranges. IP based policies that are not updated to handle IPv6 addresses may result in clients incorrectly losing or gaining access when they start using IPv6. For general guidance on KMS access controls, see [KMS key access and permissions](./control-access.html). To learn about KMS and dual stack support, see [Dual-stack endpoint support](./ipv6-kms.html). + +###### Important + +These statements do not allow any actions. Use these statements in combination with other statements that allow specific actions. + +The following statement explicitly denies access to all KMS permissions for requests originating from the `192.0.2.*` range of IPv4 addresses. Any IP addresses outside of this range are not explicitly denied KMS permissions. Since all IPv6 addresses are outside of the denied range, this statement does not explicitly deny KMS permissions for any IPv6 addresses. + + + { + "Sid": "DenyKMSPermissions", + "Effect": "Deny", + "Action": [ + "kms:*" + ], + "Resource": "*", + "Condition": { + "NotIpAddress": { + "aws:SourceIp": [ + "192.0.2.0/24" + ] + } + } + } + +You can modify the `Condition` element to deny both IPv4 (`192.0.2.0/24`) and IPv6 (`2001:db8:1234::/32`) address ranges as shown in the following example. + + + { + "Sid": "DenyKMSPermissions", + "Effect": "Deny", + "Action": [ + "kms:*" + ], + "Resource": "*", + "Condition": { + "NotIpAddress": { + "aws:SourceIp": [ + "192.0.2.0/24", + "2001:db8:1234::/32" + ] + } + } + } +