What is the valid syntax for a KMS Key Policy to avoid MalformedPolicyDocument errors?

Question 1

I am trying to create an AWS KMS Key Policy and have been plagued trying to get Cloudformation to accept the key policy. Everything I have been able to find and read says this policy should be valid and the syntax is correct as it runs, but returns MalformedPolicyDocumentExceptionnull (Service: AWSKMS; Status Code: 400;

Has anyone else run into this, if so, any thoughts or suggestions on how I can resolve the errors? I’ve been stuck and banging my head on this one and can’t see what I’m missing and my google-fu is failing me.

Code Snippet:

SnowflakeProdKMS:
Type: AWS::KMS::Key
Properties:
  Description: KMS key used by Snowflake to encrypt/decrypt data stored in s3
  Enabled: True
  EnableKeyRotation: False
  KeyPolicy:
    Version: 2012-10-17
    Id: key-default-1
    Statement:
      - Sid: Enable IAM User Permissions
        Effect: Allow
        Principal:
          AWS: 
            - !Sub arn:aws:iam::${AWS::AccountId}:root
        Action: 
          - kms:*
        Resource: '*'
      - Sid: Enable AWSAdminRole to have full permissions to KMS key
        Effect: Allow
        Principal: 
          AWS: 
            - !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole
        Action: kms:*
        Resource: '*'
      - Sid: Allow use of the key by other roles
        Effect: Allow
        Principal:
          AWS: 
            - !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole
            # - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole
        Action: 
          - kms:Encrypt
          - kms:Decrypt
          - kms:ReEncrypt
          - kms:GenerateDataKey
          - kms:DescribeKey
        Resource: '*'
      - Sid: Allow attachment of persistent resources
        Effect: Allow
        Principal:
          AWS: 
            - !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole
            # - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole
            - !Sub arn:aws:iam::${AWS::AccountId}:root
        Action: 
          - kms:CreateGrant
          - kms:ListGrants
          - kms:RevokeGrant
        Resource: '*'
        Condition: 
          Bool: 
            - kms:GrantIsForAWSResource: 'true'

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

SnowflakeProdKMS:

Type: AWS::KMS::Key

Properties:

Description: KMS key used by Snowflake to encrypt/decrypt data stored in s3

Enabled: True

EnableKeyRotation: False

KeyPolicy:

Version: 2012-10-17

Id: key-default-1

Statement:

- Sid: Enable IAM User Permissions

Effect: Allow

Principal:

AWS:

- !Sub arn:aws:iam::${AWS::AccountId}:root

Action:

- kms:*

Resource: '*'

- Sid: Enable AWSAdminRole to have full permissions to KMS key

Effect: Allow

Principal:

AWS:

- !Sub arn:aws:iam::${AWS::AccountId}:/role/AWSAdminRole

Action: kms:*

Resource: '*'

- Sid: Allow use of the key by other roles

Effect: Allow

Principal:

AWS:

- !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole

# - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole

Action:

- kms:Encrypt

- kms:Decrypt

- kms:ReEncrypt

- kms:GenerateDataKey

- kms:DescribeKey

Resource: '*'

- Sid: Allow attachment of persistent resources

Effect: Allow

Principal:

AWS:

- !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAdminRole

# - !Sub arn:aws:iam::${AWS::AccountId}:role/SnowflakeAccessRole

- !Sub arn:aws:iam::${AWS::AccountId}:root

Action:

- kms:CreateGrant

- kms:ListGrants

- kms:RevokeGrant

Resource: '*'

Condition:

Bool:

- kms:GrantIsForAWSResource: 'true'

Question 2

After much trial and error and reaching out to other partners I found the solution for the above issue.

The Condition on snippet above was incorrect and should have been formatted as follows:

Condition: 
          Bool: 
            "kms:GrantIsForAWSResource": true

1

2

3

4

Condition:

Bool:

"kms:GrantIsForAWSResource": true

Once changed to this the policy went in without issue.

What is the valid syntax for a KMS Key Policy to avoid MalformedPolicyDocument errors?

Question:

Answer:

Leave a Reply Cancel reply