Understanding Key Policy Evaluation Process

all aws aws kms aws security Jan 29, 2024

Introduction

This blog post aims to demystify the key policy evaluation process and explain the roles of Service Control Policies (SCP), Identity and Access Management (IAM) policies, VPC endpoint policies, Key policies, and Key grants in a simple and digestible manner.

The Basics of Policy Evaluation

When an AWS service receives a request, it evaluates various policies attached to the resource and the principal (user or role) making the request. This evaluation determines whether to allow or deny the request based on defined permissions. The evaluation process follows a specific order and considers different types of policies.

Order of evaluation

1. Service Control Policies (SCP)

SCPs are the first line of defence and are evaluated at the beginning of the policy evaluation process. If an SCP denies a request, no further evaluation takes place.

2. Identity and Access Management (IAM) Policy

The request is denied if an SCP allows an action, but an IAM policy denies it. Conversely, the process moves to the next step if both SCP and IAM policies allow it.

3. VPC Endpoint Policies

VPC Endpoint policies apply when accessing AWS services through VPC Endpoints. They're especially relevant for restricting access to services within a VPC, ensuring that traffic does not go over the public internet.

4. Key Policy

A Key policy defines who can use the key and for what actions. When a request involves encrypted data, the Key policy is evaluated to ensure the requester has the necessary permissions to use the key.

5. Key Grants

Key grants are useful for scenarios where temporary access is needed, and are evaluated after the Key policy.

Cross-Account Access

Cross-account access involves allowing principals (users or roles) in one AWS account to access resources in another. This is common in organizations with multiple AWS accounts. For cross-account access to work, the resource-based policy (e.g., S3 bucket policy, Key policy) in the account owning the resource must explicitly allow access from principals in the other account. Additionally, the principal's IAM policy in the accessing account must allow the action on the resource.

 Conclusion

Understanding how different policies interact and are evaluated in AWS can help us better manage access and security across your AWS environment. By knowing the role and evaluation order of SCPs, IAM policies, VPC endpoint policies, Key policies, and Key grants, we can design a robust and secure multi-account AWS architecture that precisely controls who can access what resources and under what conditions.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.