SCS-C01 Amazon AWS Certified Security Specialty – Domain 5 – Data Protection part 5

14. KMS Policy Evaluation Logic – Use Case 02

Hey everyone and welcome back in today’s video we will be discussing about the Use case two related to IAM and Kms policies now, in order for this Use case to work, what I have done is I have created a new user called as Ktlabs and I have given him administrator access. Now, from a new browser I have logged into the CMS and basically I have modified this key policy over here so the policy which is present over here, let’s modify it and I have a sample policy which is present over here I’ll just quickly paste this policy and I’ll click on Save. Now, if you look into the policy document over here, it has basically two elements. One is enable im user permission. So here the ARN is of the KP Labs user. The action is kms hyphenstar, the resources kms hyphenstar.

And there is a second policy document here where you are having the ARN of user Alice, who will be able to perform the decrypt operation as well as the describe key. So the only thing that we are changing when it compares to the Use case one is the CMK policy. Now basically if you quickly look into the policy associated with Alice, it remains the same the only thing that we are changing is the CMK policy and now the question that comes is will Alice be able to perform the encrypt operation as well as will Alice be able to perform the operation? So again, I’ll be pasting the Kms policy after this video so you can just read through it and just check whether you will be able to answer this specific Use case.

15. KMS Policy Evaluation Logic – Use Case Solution – 02

Hey everyone and welcome to the solution video associated with the use case Two. Now the answer to this question is that Alice will not be able to perform the encrypt operation. Alice will be able to perform the decrypt operation. So this seems to be interesting. Now let’s look into why. So basically if you look into the Im policy associated with the user Alice, it basically allows Kms encrypt so there is no issue over here. However, at the Im policy level so again, let’s write here. So first is IAM policy check. So for the user Alice, the Im policy check is yes. So everything is perfectly fine over here. However, the CMK policy check, we also have to verify here whether it is a yes or no. Now if you basically look into the CMK policy let’s look here.

Now a CMK policy associated with the user Alice is only allowing decrypt as well as describe however, the same thing was also present for the use case One. However, in use case one, the Alice user was able to perform the encrypt operation. Now the only thing that was changed was this specific principle which is the ARN. Now in the use case zero one, if you remember this ARN was of the root. So root is basically at the principal of the account. Now, instead of the account level privilege, what we have done is we have given the user level privilege. And this is the reason why although let me open this up. Although the Im policy check of encrypt is perfectly fine at the CMK level, you do not really have that you do not really have the option for the user Alice to be able to perform the encrypt operation.

We can also verify this here. So if I try and perform the encrypt operation, you see it is saying access denied. However, if I try and perform the decrypt operation, the decrypt operation was successfully completed. Now the reason why it was successfully completed was because it was explicitly mentioned within the Kms policy over here that the user Alice will be able to perform the decrypt operation. Now in case if you change this specific to root, let me just change it back to root and let me click on save and once you have done that, let me try the encrypt operation once again. You see I am able to encrypt my specific file. So this is one important part that you need to remember you should always look into the ARN which is present over here. So that’s about it. Regarding the solution associated with use case Two, I hope this video has been useful for you and I look forward to seeing the next video.

 16. KMS Policy Evaluation Logic – Use Case – 03

Hey everyone and welcome back. In today’s video we will be discussing about a use case three. So what I have done is I have copy pasted the policy that I have created within a central file. So basically, this is the policy which is associated with the Alice user and this is the policy which is associated with the CMK. Now, you need to tell the same question whether the user Alice will be able to encrypt the file and whether user Alice will be able to decrypt the file. So this is a quite small video. Again, I’ll be posting this document below this video and you can refer it and you can verify whether the Alice will be able to do it or not.

17. KMS Policy Evaluation Logic – Use Case Solution – 03 (New)

Hey everyone and welcome back. In today’s video we will be discussing the solution associated with the Use case three so the answer is Alice will not be able to perform the encrypt operation alice will be able to perform the decrypt operation so let’s look into this in detail. So within the Kms, I am sure you have gone through the Kms policy which I have attached over here. So within the Kms policy you see you have encrypt, you have described key and you have decrypt over here so this resource based policy of Kms is allowing both encrypt as well as decrypt operation however, if you look into the analysis policy over here, here you will see that the action here is Kms encrypt.

In fact, let me click on edit policy so here the action is Kms encrypt and the effect here is denied and because of this effect, Alice will not be able to perform the encrypt operation so let’s quickly verify this in the CLA as well. So here I am trying to perform the encrypt operation from the Alice’s user and you see it is giving you the access denied exception with the message that there is an explicit denied. So this explicit deny is part of the Alice’s IAM policy. However, if you try and do a decrypt operation here, you see the decrypt operation is working perfectly so this is it about the solution associated with the Use case three. I hope this video has been informative for you and I look forward to seeing you in the next video.

18. KMS Grants

Hey everyone and welcome back. In today’s video we’ll be discussing about the Kms grants. Now, this specific topic is little important for the certification exam, so make sure you understand on how exactly Kms grants work. Now, typically in AWS there are two types of policies that you will generally be working with. One is the IAM policies and second is the risk source policies. Now, in Kms, whenever we generate a CMK, it also has a default key policy which is attached to it. So this key policy that is generated where you create a CMK can be referred as the resource policy. Now, it is important for us to understand on what are the different ways which are necessary to manage the access to your AWS Kms customer master key. Now, there are three different ways in which you can manage the access.

One is using the key policies, second is by making use of IAM policy in combination with the key policies. And the third one is the Kms grants. And in today’s video we are more interested in how we can manage the access to the CMK with the help of a Kms grant. So, before we go ahead and do the practical, let’s understand the basic grant terminology. So, during the process of grant, there are two entities which are involved over here. One is the grant user and second is the grantee. Now, the grant user is basically the user who already has access to the CMK and that user who has generated the grant. So that is called as the grant user and the grantee is basically the user who will be using the grant which is generated by the grant user. So now the question comes, what exactly is grant? Now, grant is like a secret token.

So a grant user, whenever he generates a grant, a secret token gets generated and a grantee. So this is the user who can make use of that secret token to perform certain operations on that specific CMK. Now, whatever secret token which gets generated, it has a specific permission, it can be of encryption, it can be of decryption, ETCA. All right? So basically, whenever a grant user generates a grant, he has to specify that whatever grant, or I would say whatever token which gets generated, that token should have what kind of operational capabilities, whether it should have encryption allowed or decryption allowed or any other. So let’s do one thing, let’s jump into practical because that would be the easiest way in which we can understand this process.

So I’m in my Kms console, let’s do one thing, let’s go ahead and create a new key. I’ll call this key as Kplabs. And before we go ahead and complete the process, let’s go ahead and create two users. So basically, if you remember during the page of grant terminology we discussed that there will be two users, one user will be generating the grant which is basically the token. And second user will make use of token to perform certain kind of an encrypt or a decrypt operation. So let’s go to IAM and I’ll add a new user here. Let’s call this user as grant user. I’ll give him a programmatic access. All right, so you have the access and secret key which is generated. Let’s feed in this access and secret key in our CLI. So I’m in my CLI, let’s go to AWS credentials and these are the credentials which we used to use in our other videos.

So I’ll create a new profile for grant user. All right, so let’s put the access key ID here, we’ll put the secret key and we’ll copy this once more because we also need to generate a key for granting. All right, so now let’s go ahead and get the access key. So I’ll copy the access key and I’ll paste it here. Similarly, I’ll use the secret key and I’ll paste the secret key here. Great, so this is for the grant user. Now, we also have to create one more user. We’ll call that user as grantee and again we’ll put the access and secret key within the CLI. So let’s go back, I’ll add one more user, let’s call him grantee. I’ll copy the access key and same with the secret key. Great. So now we have both the credentials configured, we can go ahead and we can save our changes. So once this is done, let’s go back to our Kms console.

We’ll go ahead and create a key with the name of Kplabs. Now within the key administrator, we’ll make the grant user as the key administrator. Note that the grantee does not really have any permission over the key. All right, let’s go ahead and do a next and I’ll do a finish. Great. So our CMK is now generated. Now, if you open up the CMK as expected, you have a grant user who is an administrator over here. Now, within the key user, you don’t really have any other users who have permission over the specific CMK. Now, what Kms grant allows us to do is it allows us to generate a token. Now, that token will be generated by a user who has the access over the CMK. So in this case, a grant user has the access to the CMK, so he will generate a token and that token can be used by the grantee user to perform certain operations on top of that CMK.

So let’s go ahead and look into how exactly that would look like. So what I have done for a simplicity purpose and also for the purpose of a documentation, I have written down all the CLI commands that we’ll be using throughout the lapse of today. I’ll also be posting this after the video, so you can go ahead and follow it. Now, the first step over here is to generate the grant. Now, who will be able to generate the grant? It will be the user who already has access to the specific CMK. Let’s go back to a CLI and I’ll quickly say AWS kms, I’ll say create grant. Then we have to specify the key ID. So the key ID would be the ARN of Rcmk. So once I have copied that you have to basically give the grantee principle. So grantee principle is nothing but the ARN of the grantee user.

So let’s go back to the im console. I’ll go to the grantee user and I’ll copy of the ARN over here and I’ll specify the ARN and the last thing that you have to specify is the operation. So it can be encrypted operation, it can be decrypt operation or any others. All right, so once you have done that, let’s specify the profile because we want to use a specific access and secret key. So we are making use of the profile of grant user. All right, so a region is not configured. So let’s manually specify the region as us east one. All right, so now if you see at the output of this command you got two fields. Now, first is the grant token and second is the grant ID. Both of them are important. Let’s copy this entire output and for our rough work I’ll copy both of them within my notepad. Now this is the grant token. So this is how the grant exactly looks like.

So now the grantee user who does not have any access over the CMK, he can make use of this grant token to perform certain operations which were allowed. So in our case, if you remember we had manually specified that only encrypt operations should be allowed and this is the reason why the grantee will only be able to perform the encrypt operation through this specific grant token which is generated. So now we’ll go to the second step. Second step is pretty simple. So you have AWS kms encrypt, we are specifying plain text as hello world, we are specifying the key ID and we are specifying the grant tokens. So let’s go ahead and put that I’ll say AWS kms encrypt, I’ll say plaintext as hello world, let’s specify the key ID and the last thing I’ll say grant tokens and then we’ll copy the grant token which was generated. So now we’ll run this with the profile of the grantee user and the region would be us east one.

All right, so now you see that the specific hello world has been encrypted and this is the cipher text block. So now the last thing that we look for today’s practical is the revoking the grant. So this specific grant which was generated and this has been used by the grantee user. So this specific grant, if you want to revoke it, you can do it with the help of CLI command. So the command is AWS kms revoke grant. You have the key ID and you have the grant ID. Now this grant ID is basically generated whenever you are creating a specific grant so you see this is the specific grant ID so let’s go ahead and try this out as well. So I say AWS kms revoke grant again we’ll have to specify the key ID. All right, so this is the key ID and then is the hyphen grant ID and for that I’ll copy the ID and let’s paste this here. All right, so now basically we are trying to revoke the grant.

So this needs to be done with the help of the grant user. And the region would be us. East one. All right, so the grant has been revoked in case if you want to try it out, you can run the same command again with the earlier token. So let’s try to run the same command from the profile of grantee and this time you see it is basically giving the access denied exception primarily because the grant token which was generated is no longer valid. So with this I hope you understood on what grantee user is and what a grantee is. Grant user is the one who will be generating the grant token and grantee is the principal who will be making use of that grant token. So this is the high level overview about Kms grants. I hope this video has been informative for you and I look forward to seeing you in the next video.