AWS singlesignon medium security documentation change
Summary
Rewrote the baseline KMS key policy documentation to consolidate multiple use cases into a single comprehensive policy, simplified policy statements, added policy variables for account/organization context, replaced hardcoded values with placeholders, and restructured with a table explaining policy statements.
Security assessment
The changes enhance security by implementing least-privilege principles through policy variables (${aws:ResourceOrgID}, ${aws:ResourceAccount}) that dynamically enforce resource boundaries, replacing hardcoded values that could lead to misconfiguration. The consolidated policy adds explicit encryption context validation ('ForAnyValue:StringEquals') for SSO instance and identity store ARNs, preventing potential context manipulation attacks. Removal of wildcard IAM principals reduces over-permission risks.
Diff
diff --git a/singlesignon/latest/userguide/baseline-KMS-key-policy.md b/singlesignon/latest/userguide/baseline-KMS-key-policy.md index 8d325cf92..8a3b55f5f 100644 --- a//singlesignon/latest/userguide/baseline-KMS-key-policy.md +++ b//singlesignon/latest/userguide/baseline-KMS-key-policy.md @@ -7 +7 @@ -Examples of KMS key policy statements for common use cases +# Baseline KMS key policy @@ -9 +9 @@ Examples of KMS key policy statements for common use cases -# Baseline KMS key and IAM policy statements +The following KMS key policy covers the most common deployment scenario: an IAM Identity Center instance with delegated administrators and AWS managed applications, including AWS Control Tower, SSO to Amazon EC2 instances, and custom workflows. Use this policy as your starting point when creating a customer managed KMS key for IAM Identity Center. If you need more granular access controls, such as restricting the key to a specific IAM Identity Center instance or application, see [Advanced KMS key policy statements](./advanced-kms-policy.html). Please note if using a multi-Region key, the same policy should be used across all replicas to help ensure consistent authorization. @@ -11 +11 @@ Examples of KMS key policy statements for common use cases -The baseline KMS key and identity-based policies provided here serve as a foundation for common requirements. We also recommend that you review [Advanced KMS key policy statements](./advanced-kms-policy.html) that provide more granular access controls, such as ensuring the KMS key is accessible only to a specific IAM Identity Center instance or AWS managed application. Before using advanced KMS key policy statements, review the [Considerations for choosing baseline vs. advanced KMS key policy statements](./considerations-for-customer-managed-kms-keys-advanced.html#kms-policy-considerations-advanced-vs-baseline). +To use this policy, replace the following placeholder values with your own: @@ -13 +13 @@ The baseline KMS key and identity-based policies provided here serve as a founda -The following sections provide baseline policy statements for each use case. Expand the sections that match your use cases, and copy the KMS key policy statements. Then, return to [Step 2: Prepare KMS key policy statements](./identity-center-customer-managed-keys.html#choose-kms-key-policy-statements). + * ``111122223333`` — The AWS account ID of your IAM Identity Center instance (the AWS Organizations management account). @@ -15 +15 @@ The following sections provide baseline policy statements for each use case. Exp -Use the following KMS key policy statement template in [Step 2: Prepare KMS key policy statements](./identity-center-customer-managed-keys.html#choose-kms-key-policy-statements) to allow IAM Identity Center, its associated Identity Store, and IAM Identity Center administrators to use the KMS key. + * ``444455556666`` — The AWS account ID of your delegated administration account. If you don't use delegated administration, remove this principal. @@ -17 +16,0 @@ Use the following KMS key policy statement template in [Step 2: Prepare KMS key - * In the Principal element for administrator policy statements, specify the AWS account principals of the IAM Identity Center's administration accounts, which are the AWS organization management account and the delegated administration account, using the format "arn:aws:iam::111122223333:root". @@ -19 +17,0 @@ Use the following KMS key policy statement template in [Step 2: Prepare KMS key - * In the PrincipalArn element, replace the example ARNs with the IAM Identity Center administrators' IAM roles. @@ -21 +18,0 @@ Use the following KMS key policy statement template in [Step 2: Prepare KMS key -You can specify either: @@ -23,20 +20 @@ You can specify either: - * Specific IAM role ARN: - -` "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/ap-southeast-2/AWSReservedSSO_permsetname_12345678"` - - * Wildcard pattern (recommended): - -` "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/ap-southeast-2/AWSReservedSSO_permsetname_*"` - -Using the wildcard (`*`) prevents access loss if the permission set is deleted and recreated, as Identity Center generates new unique identifiers for recreated permission sets. For an example implementation, see [Custom trust policy example](./referencingpermissionsets.html#custom-trust-policy-example) . - - * In the SourceAccount element, specify the IAM Identity Center account ID. - - * Identity Store has its own service principal, `identitystore.amazonaws.com`, which must be allowed to use the KMS key. - - * These policy statements allow your IAM Identity Center instances in a specific AWS account to use the KMS key. To restrict access to a specific IAM Identity Center instance, see [Advanced KMS key policy statements](./advanced-kms-policy.html). You can have only one IAM Identity Center instance for each AWS account. - - - - -KMS key policy statements +Since AWS IAM Identity Center requires that the KMS key be in the same AWS Account as the service, the following statements use the `${aws:ResourceOrgID}` and `${aws:ResourceAccount}` variables instead of literal values. You can replace these variables with your AWS Organization ID and AWS Account ID if you prefer to do so. @@ -49,29 +27 @@ KMS key policy statements - "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenter", - "Effect": "Allow", - "Principal": { - "AWS": [ - "arn:aws:iam::111122223333:root", - "arn:aws:iam::444455556666:root" - ] - }, - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "*", - "Condition": { - "ArnLike": { - "aws:PrincipalArn": [ - "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*", - "arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*" - ] - }, - "StringLike": { - "kms:ViaService": "sso.*.amazonaws.com", - "kms:EncryptionContext:aws:sso:instance-arn": "*" - } - } - }, - { - "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityStore", + "Sid": "AllowIdentityCenterAdminAccounts", @@ -85,18 +35,2 @@ KMS key policy statements - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "*", - "Condition": { - "ArnLike": { - "aws:PrincipalArn": [ - "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*", - "arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*" - ] - }, - "StringLike": { - "kms:ViaService": "identitystore.*.amazonaws.com", - "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" - } - } + "Action": "kms:*", + "Resource": "*" @@ -105 +39 @@ KMS key policy statements - "Sid": "AllowIAMIdentityCenterAdminToDescribeTheKMSKey", + "Sid": "AllowIdentityCenterAndIdentityStoreToDescribeKey", @@ -108,3 +42,3 @@ KMS key policy statements - "AWS": [ - "arn:aws:iam::111122223333:root", - "arn:aws:iam::444455556666:root" + "Service": [ + "identitystore.amazonaws.com", + "sso.amazonaws.com" @@ -116,25 +49,0 @@ KMS key policy statements - "ArnLike": { - "aws:PrincipalArn": [ - "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_Admin_*", - "arn:aws:iam::444455556666:role/aws-reserved/sso.amazonaws.com/us-east-1/AWSReservedSSO_DelegatedAdmin_*" - ] - } - } - }, - { - "Sid": "AllowIAMIdentityCenterToUseTheKMSKey", - "Effect": "Allow", - "Principal": { - "Service": "sso.amazonaws.com" - }, - "Action": [ - "kms:Decrypt", - "kms:ReEncryptTo", - "kms:ReEncryptFrom", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "kms:EncryptionContext:aws:sso:instance-arn": "*" - }, @@ -142 +51 @@ KMS key policy statements - "aws:SourceAccount": "111122223333" + "aws:SourceAccount": "${aws:ResourceAccount}" @@ -147 +56 @@ KMS key policy statements - "Sid": "AllowIdentityStoreToUseTheKMSKey", + "Sid": "AllowIdentityCenterAndIdentityStoreToUseKey", @@ -150 +59,4 @@ KMS key policy statements - "Service": "identitystore.amazonaws.com" + "Service": [ + "identitystore.amazonaws.com", + "sso.amazonaws.com" + ] @@ -160,3 +71,0 @@ KMS key policy statements - "StringLike": { - "kms:EncryptionContext:aws:identitystore:identitystore-arn": "*" - }, @@ -164,3 +73 @@ KMS key policy statements - "aws:SourceAccount": "111122223333" - } - } + "aws:SourceAccount": "${aws:ResourceAccount}" @@ -168,7 +75,4 @@ KMS key policy statements - { - "Sid": "AllowIAMIdentityCenterAndIdentityStoreToDescribeKMSKey", - "Effect": "Allow", - "Principal": { - "Service": [ - "identitystore.amazonaws.com", - "sso.amazonaws.com" + "ForAnyValue:StringEquals": { + "kms:EncryptionContextKeys": [ + "aws:sso:instance-arn", + "aws:identitystore:identitystore-arn" @@ -176,3 +79,0 @@ KMS key policy statements - }, - "Action": "kms:DescribeKey", - "Resource": "*" @@ -180 +80,0 @@ KMS key policy statements - ] @@ -182,25 +81,0 @@ KMS key policy statements - -Use the following IAM policy statement template in [Step 4: Configure IAM policies for cross-account use of the KMS key](./identity-center-customer-managed-keys.html#configure-iam-policies-kms-key) to allow IAM Identity Center administrators to use the KMS key. - - * Replace the example key ARN in the `Resource` element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see [Where to find the required identifiers](./identity-center-customer-managed-keys.html#find-the-required-identifiers). - - * These IAM policy statements grant KMS key access to the IAM principal but don't restrict which AWS service can make the request. The KMS key policy typically provides these service restrictions. However, you can add encryption context to this IAM policy to limit usage to a specific Identity Center instance. For details, refer to [Advanced KMS key policy statements](./advanced-kms-policy.html). - - - - -IAM Policy statements required for delegated administrators of IAM Identity Center - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "IAMPolicyToAllowIAMIdentityCenterAdminToUseKMSkey", - "Effect": "Allow", - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:DescribeKey" - ], - "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"