Making an attempt to grant entry an organizational unit entry to a KMS key
Proper now I’m attempting to provide an organizational unit entry to a KMS key. I’ve adopted numerous totally different sources of documentation and that is the error I get:
null (Service: AWSKMS; Standing Code: 400; Error Code: AccessDeniedException; Request ID: 51440912–11e7–4d72–8543-a5ffafe2e477; Proxy: null)
The issue was that I didn’t have the brackets [ ] within the precise proper place within the json hierarchy.
"Situation":{
"ForAnyValue:StringLike":{
"aws:PrincipalOrgPaths":[
"o-1122334455/r-abcd/ou-1/",
"o-1122334455/r-abcd/ou-2/"
]
}
}
No matter code is processing the request to entry the hot button is anticipating an array of values in [] like [a, b, c] not a single worth “a” with out brackets or an inventory like this “a”, “b” with no brackets.
The code is anticipating one nested situation “aws:PrincipalOrgPaths” for the StringLike situation, not an array [ “aws:PrincipalOrgPaths”, “x”, “y”].
I had the [ and ] round aws:PrinicpalOrgPaths as a substitute of the place it’s across the two organizations right here.
Code is choosy!
Repair: It could be nicer if the KMS coverage editor caught this error earlier than saving in its validation routine.
I additionally discovered it useful to make use of the asterisk within the org path like this the place the primary worth is the group id and the final worth is the OU ID, each that are discovered within the AWS Organizations part of the AWS portal.
"Situation":{
"ForAnyValue:StringLike":{
"aws:PrincipalOrgPaths":[
"o-1122334455/*/ou-1/",
"o-1122334455/*/ou-2/"
]
}
}
Assets:
Teri Radichel — Observe me @teriradichel on Twitter
© 2nd Sight Lab 2022
____________________________________________
About this weblog:
Wish to be taught extra about Cybersecurity and Cloud Safety? Take a look at: Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, shows, and podcasts