MalformedPolicyDocumentException when creating AWS::KSM::Key
12,652
The defined principals do not evaluate into Arns.
The first principal would evaluate to:
"AWS": "arn:aws:iam::11111111moimeco"
A valid ARN for a user would look like this:
"arn:aws:iam::1111111:user/username"
Additionally, you need to include the root user into your principals.
Otherwise, AWS wouldn't let you create the key at all. The reason behind this is described here:
AWS Key policies under "Allows Access to the AWS Account and Enables IAM Policies"
Comments
-
Souad over 1 year
I'm trying to create a KSM key to use it in the S3 service, but I get the MalformedPolicyDocument exception. Here is the resource:
"CustomerMasterKey":{ "Type" : "AWS::KMS::Key", "Condition" : "EnableEncryption", "Properties" : { "Description" : "Client Master Key used to encrypt data", "Enabled" : true, "EnableKeyRotation" : true, "KeyPolicy" : { "Version": "2012-10-17", "Id": {"Fn::Join": ["",["Key","Policy",{"Ref": "CustomerParam"}]]}, "Statement": [{ "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"moimeco"]]} }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"}, {"Ref": "CustomerParam"}]]}, {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"userprod"]]} ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "s3.eu-west-1.amazonaws.com" } } }] } } },
I don't know where is the error, for me it is all good. Any idea please ?
::EDIT::
This code is giving the same error:
"CustomerMasterKey":{ "Type" : "AWS::KMS::Key", "Properties" : { "Description" : "A sample key", "KeyPolicy" : { "Version": "2012-10-17", "Id": {"Fn::Join": ["-",["Key","Policy",{"Ref": "CustomerParam"}]]}, "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": {"Fn::Join": ["", ["arn:aws:iam::",{"Ref": "AWS::AccountId"},":root"]]} }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow administration of the key", "Effect": "Allow", "Principal": { "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","userprod"]]} }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]}, {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","moimeco"]]}] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]} }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}} } ] } } },