Limiting Access to KMS Keys via Secrets Manager
ACM.22 When a KMS key is only used with Secrets Manager, limit its use with a condition in your Key Policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: KMS | AWS Security | Cybersecurity
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post we looked at creating a role to trigger batch job deployments. This role will require credentials to work with MFA.
I explained in prior posts that I’m going to create credentials associated with a virtual MFA device and store them in AWS Secrets Manager.
For secrets stored in Secrets Manager, we can further restrict our KSM Key policy to only allow encryption and decryption and certain other actions via the Secrets Manager service as described here: