Example request: Best practice KMS usage for vault in AWS

[queglay]

I've been looking into how to provide appropriate controls on the KMS key used to auto unseal vault. It seems like a difficult topic though, and hard to know the best route. It would be great to have some kind of example on what would be best practice. Some of my questions on the way forward were:

• Should it be restricted based on the iam profile of the instance? Perhaps not possible since that name is dynamically generated when this repo is deployed.
• Should it be restricted by the VPC? https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html#vpce-policy
• Or are there other methods to consider?

[brikis98]

As always, the answer is, "it depends," but I think the standard approach would be to attach an IAM role to whatever servers / containers are running Vault, and in your KMS key policy, to grant that IAM role (via it's static ARN) the permissions it needs.

[queglay]

Ahh of course thanks for the advice @brikis98 !