About boundary AWS kms policy

According to the description of this document, do I only need these three actions in AWS kms? Is it necessary to have the permission of "KMS: GenerateDataKey "?

Hi Liu,

Yes, these are the correct IAM permissions for Vault, be sure to reference the key ARNs in the resource section of the IAM policy you create. All of the creation/generation of the keys in KMS can be done by an administrator, Vault only needs to use the keys.

I hope that helps!

Thank you :grinning:. I did such an experiment:
use the key ID ‘A’ of AWS KMS as the root kms to initialize the Postgres database. It is reasonable that only the boundary server started by ‘A’ as the root kms can complete the login authentication of the generated global, but I can also complete the login authentication of the generated global with the key ID ‘B’ of AWS KMS. Why?
Looking forward to your reply, thank you

Well, I found the problem. This is because AWS kms will find the key ID of “A” AWS KMS in the ciphertext during decryption.This gave me the illusion that “B” AWS kms could also be decrypted.

1 Like