aws - auto filter aws managed kms keys

cloud-custodian / cloud-custodian

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources

https://cloudcustodian.io

Apache License 2.0

5.36k stars 1.46k forks source link

aws - auto filter aws managed kms keys #4662

Open FireballDWF opened 5 years ago

FireballDWF commented 5 years ago

Add a custodian supplied/helper filter that is the equivalent of:
- type: value key: "KeyManager" value: "CUSTOMER"
When custodian is executing a policy which attempt to tag a key where "KeyManager" = "AWS", provide a graceful error indicating that is not allowed. AWS replies "AccessDenied", but it may confuse people until they understand that attempting to Tag keys they are not a manager of is not allowed, it's not just a matter of having the kms:TagResource IAM permission.

Low priority

kapilt commented 5 years ago

its unclear what your suggesting as an alternative. yes fine grained iam policies lead to inscrutable access denied errors, what are you suggesting custodian do about that?

FireballDWF commented 5 years ago

No, this is not about IAM policies. Even AdministratorAccess and root can't Tag a key when that key's property of "KeyManager"="AWS".
I am proposing an additional filter be adding the kms-key resource, where the filter perform the equivilent of the following generic filter:
```
type: value
key: "KeyManager"
value: "CUSTOMER"
```

kapilt commented 5 years ago

implicitly filtering aws owned resources in account is really something best left to a policy author, there are typically governance objectives around verifying properties even for things aws has in an account. take a managed eni for example.