MalformedPolicyDocumentException when creating AWS::KSM::Key

12,652

The defined principals do not evaluate into Arns.

The first principal would evaluate to:

"AWS": "arn:aws:iam::11111111moimeco"

A valid ARN for a user would look like this:

"arn:aws:iam::1111111:user/username"

Additionally, you need to include the root user into your principals.

Otherwise, AWS wouldn't let you create the key at all. The reason behind this is described here:

AWS Key policies under "Allows Access to the AWS Account and Enables IAM Policies"

Share:
12,652
Souad
Author by

Souad

I Love programming, solve errors, production.

Updated on June 28, 2022

Comments

  • Souad
    Souad over 1 year

    I'm trying to create a KSM key to use it in the S3 service, but I get the MalformedPolicyDocument exception. Here is the resource:

    "CustomerMasterKey":{
      "Type" : "AWS::KMS::Key",
      "Condition" : "EnableEncryption",
      "Properties" : {
        "Description" : "Client Master Key used to encrypt data",
        "Enabled" : true,
        "EnableKeyRotation" : true,
        "KeyPolicy" :
        {
          "Version": "2012-10-17",
          "Id": {"Fn::Join": ["",["Key","Policy",{"Ref": "CustomerParam"}]]},
          "Statement":
          [{
          "Sid": "Allow access for Key Administrators",
          "Effect": "Allow",
          "Principal": {
            "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"moimeco"]]}
          },
          "Action": [
            "kms:Create*",
            "kms:Describe*",
            "kms:Enable*",
            "kms:List*",
            "kms:Put*",
            "kms:Update*",
            "kms:Revoke*",
            "kms:Disable*",
            "kms:Get*",
            "kms:Delete*",
            "kms:TagResource",
            "kms:UntagResource",
            "kms:ScheduleKeyDeletion",
            "kms:CancelKeyDeletion"
          ],
          "Resource": "*"
          },
          {
          "Sid": "Allow use of the key",
          "Effect": "Allow",
          "Principal": {
            "AWS":
            [
              {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"}, {"Ref": "CustomerParam"}]]},
              {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},"userprod"]]}
            ]
          },
          "Action": [
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:DescribeKey"
          ],
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "kms:ViaService": "s3.eu-west-1.amazonaws.com"
            }
          }
          }]
        }
      }
    },
    

    I don't know where is the error, for me it is all good. Any idea please ?

    ::EDIT::

    This code is giving the same error:

    "CustomerMasterKey":{
          "Type" : "AWS::KMS::Key",
          "Properties" : {
            "Description" : "A sample key",
            "KeyPolicy" : {
              "Version": "2012-10-17",
              "Id": {"Fn::Join": ["-",["Key","Policy",{"Ref": "CustomerParam"}]]},
              "Statement": [
              {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                  "AWS":  {"Fn::Join": ["", ["arn:aws:iam::",{"Ref": "AWS::AccountId"},":root"]]}
                },
                "Action": "kms:*",
                "Resource": "*"
              },
              {
                "Sid": "Allow administration of the key",
                "Effect": "Allow",
                "Principal": { "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","userprod"]]} },
                "Action": [
                  "kms:Create*",
                  "kms:Describe*",
                  "kms:Enable*",
                  "kms:List*",
                  "kms:Put*",
                  "kms:Update*",
                  "kms:Revoke*",
                  "kms:Disable*",
                  "kms:Get*",
                  "kms:Delete*",
                  "kms:ScheduleKeyDeletion",
                  "kms:CancelKeyDeletion"
                ],
                "Resource": "*"
              },
              {
                "Sid": "Allow use of the key",
                "Effect": "Allow",
                "Principal": { "AWS": [{"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]},
                                       {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/","moimeco"]]}]
                             },
                "Action": [
                  "kms:Encrypt",
                  "kms:Decrypt",
                  "kms:ReEncrypt*",
                  "kms:GenerateDataKey*",
                  "kms:DescribeKey"
                ],
                "Resource": "*"
              },
              {
                "Sid": "Allow attachment of persistent resources",
                "Effect": "Allow",
                "Principal": {
                  "AWS": {"Fn::Join": ["",["arn:aws:iam::",{"Ref": "AWS::AccountId"},":user/",{"Ref": "CustomerParam"}]]}
                },
                "Action": [
                  "kms:CreateGrant",
                  "kms:ListGrants",
                  "kms:RevokeGrant"
                ],
                "Resource": "*",
                "Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}
              }
            ]
            }
          }
        },