Saturday, August 13, 2022
HomeCyber SecurityCan not Create Secrets and techniques Supervisor Secret with KMS key with...

Can not Create Secrets and techniques Supervisor Secret with KMS key with out DECRYPT permissions | by Teri Radichel | Bugs That Chunk | Aug, 2022


Ought to have the ability to have a job with encrypt solely permissions put a secret in Secrets and techniques Supervisor

Please inform me it is a bug.

I created a job with encrypt solely permissions. I’m utilizing that function to run this script which shops a worth in Secrets and techniques Supervisor solely. This function is not going to be the identical function to retrieve the key later so it shouldn’t want decrypt permissions.

As soon as once more getting an ambiguous KMS error:

Entry to KMS isn’t allowed

This error message is wrong as a result of I’ve checked and the function does have KMS permissions. As well as that function has permission to ENCRYPT a worth with the important thing.

So I’m going over to CloudTrail and I discover two associated errors:

Secrets and techniques Supervisor through CloudFormation offers this unhelpful info:

The KMS error says:

Why would this function want DECRYPT permission to create a secret and encrypt it in KMS?

I don’t WANT this function to have decrypt permissions solely encrypt permissions.

Additionally, the place is the ENCRYPT motion within the logs? There’s nothing that may even be decrypted that this level as a result of the worth hasn’t even been encrypted.

I had this working earlier than. Undecided if I modified one thing or one thing at AWS modified however I don’t see how the above template ought to ever set off the decrypt motion.

In any case, I added the power for the consumer working the above to encrypt and the script works. This actually must be mounted. It’s like not being able to solely give learn OR write entry to a listing.

Teri Radichel

In case you favored this story please clap and observe:

Medium: Teri Radichel or Electronic mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies through LinkedIn: Teri Radichel or IANS Analysis

© 2nd Sight Lab 2022

____________________________________________

Writer:

Cybersecurity for Executives within the Age of Cloud on Amazon

Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching

Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.

Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.

Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, shows, and podcasts



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments