AWS IAM Identity Center now supports customer-managed KMS keys for encryption at rest | Amazon Web Services

AWS IAM Identity Center now supports customer-managed KMS keys for encryption at rest | Amazon Web Services

by

Starting today, you can use your own AWS Key Management Service (AWS KMS) keys to encrypt identity data, such as user and group attributes, stored in your organization’s AWS IAM Identity Center instances.

Many organizations operating in regulated industries need full control over encryption key management. While Identity Center already encrypts data at rest using AWS-owned keys, some customers require the ability to manage their own encryption keys for auditing and compliance purposes.

With this launch, you can now use KMS Customer Managed Keys (CMKs) to encrypt Identity Center identity data at rest. CMKs give you full control over the key lifecycle, including creation, rotation, and deletion. Using AWS Key Management Service (AWS KMS) key policies and IAM policies, you can configure fine-grained key access control, helping to ensure that only authorized parties have access to your encrypted data. At launch time, the CMK must reside in the same AWS account and region as your IAM Identity Center instance. Integration between Identity Center and KMS provides detailed AWS CloudTrail logs to audit key usage and help meet compliance requirements.

Identity Center supports single realm and multi-realm keys to meet your deployment needs. While Identity Center instances can currently only be deployed in one region, we recommend using AWS KMS keys for multiple regions unless company policy restricts you to single region keys. Multi-region keys provide consistent key material across regions while maintaining an independent key infrastructure in each region. This gives you more flexibility in your encryption strategy and helps secure future deployments.

Let’s get started
Let’s say I want to use the CMK to encrypt the identity data of my Identity Center organization instance. My organization uses Identity Center to give employees access to AWS-managed applications such as Amazon Q Business or Amazon Athena.

Starting today, some AWS-managed applications cannot be used with an Identity Center configured with a customer-managed KMS key. See the AWS-managed apps you can use with Identity Center to stay updated on the ever-evolving list of compatible apps.

The high-level process requires first creating a customer-managed symmetric key (CMK) in AWS KMS. The key must be configured for encryption and decryption operations. Next, I’ll configure key policies to grant access to Identity Center, AWS-managed applications, administrators, and other principals who need access to the Identity Center API and IAM Identity Center. Depending on how you use Identity Center, you will need to define different policies for the key and IAM policies for the IAM objects. The service documentation contains additional details to help you cover the most common use cases.

This demo consists of three parts. First, I create a customer-managed key in AWS KMS and configure it with permissions that will authorize Identity Center and AWS managed applications to use it. Second, I update the IAM policy for principals who will be using a key from another AWS account, such as AWS application administrators. Finally, I configure Identity Center to use the key.

Part 1: Create a key and define permissions

First, create a new CMK in AWS KMS.

AWS KMW Key to Build Part 1

The key must be in the same AWS region and AWS account as the Identity Center instance. You must create an Identity Center instance and key in your AWS Organization management account.

I go to the AWS Key Management Service (AWS KMS) console in the same region as my Identity Center instance, then select Create a key. This will launch the key creation wizard.

AWS KMW Key to Build Part 2

Under Step 1 – Configure the keyI will select the key type – either Symmetric (one key used for both encryption and decryption) or Asymmetric (public and private key pair for encryption/decryption and signing/verification). Identity Center requires symmetric keys for encryption at rest. i choose Symmetrical.

For key use I choose Encrypt and decrypt which allows the key to be used only for data encryption and decryption.

Under Advanced optionsi choose KMS – recommended for Origin of key material, so AWS KMS creates and manages key material.

For RegionalityI choose between Single-Region or Multi-Region key. i choose Key for multiple regions so that key managers can replicate the key to other realms. As explained earlier, Identity Center doesn’t require this today, but it helps future-proof your configuration. Note that a key from one realm cannot be transformed into a multi-realm key after it is created (but you can change the key used by Identity Center).

Then I will choose Other proceed with other configuration steps such as adding labels, defining administrator permissions, setting usage permissions, and checking the final configuration before creating the key.

AWS KMS Key to Build Part 3

Under Step 2 – Adding LabelsI enter an Nickname name for my key and select Other.

In this sample, I edit key policies by adding policy statements using the templates provided in the documentation. I’ll skip Step 3 and Step 4 and go to Step 5 – Modify the key policy.

AWS KMS Key to Build Part 5

At a minimum, Identity Center requires permissions to allow Identity Center and its administrators to use the key. Therefore, I am adding three policy statements, the first and second authorize the administrators of the service, the third authorizes the Identity Center service itself.

{
	"Version": "2012-10-17",
	"Id": "key-consolepolicy-3",
	"Statement": (
		{
			"Sid": "Allow_IAMIdentityCenter_Admin_to_use_the_KMS_key_via_IdentityCenter_and_IdentityStore",
			"Effect": "Allow",
			"Principal": {
				"AWS": "ARN_OF_YOUR_IDENTITY_CENTER_ADMIN_IAM_ROLE"
			},
			"Action": (
				"kms:Decrypt",
				"kms:Encrypt",
				"kms:GenerateDataKeyWithoutPlaintext"
			),
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"kms:ViaService": (
						"sso.*.amazonaws.com",
						"identitystore.*.amazonaws.com"
					)
				}
			}
		},
		{
			"Sid": "Allow_IdentityCenter_admin_to_describe_the_KMS_key",
			"Effect": "Allow",
			"Principal": {
				"AWS": "ARN_OF_YOUR_IDENTITY_CENTER_ADMIN_IAM_ROLE"
			},
			"Action": "kms:DescribeKey",
			"Resource": "*"
		},
		{
			"Sid": "Allow_IdentityCenter_and_IdentityStore_to_use_the_KMS_key",
			"Effect": "Allow",
			"Principal": {
				"Service": (
					"sso.amazonaws.com",
					"identitystore.amazonaws.com"
				)
			},
			"Action": (
				"kms:Decrypt",
				"kms:ReEncryptTo",
				"kms:ReEncryptFrom",
				"kms:GenerateDataKeyWithoutPlaintext"
			),
			"Resource": "*",
            "Condition": {
    	       "StringEquals": { 
                      "aws:SourceAccount": "" 
	           }
            }		
		},
		{
			"Sid": "Allow_IdentityCenter_and_IdentityStore_to_describe_the_KMS_key",
			"Effect": "Allow",
			"Principal": {
				"Service": (
					"sso.amazonaws.com",
					"identitystore.amazonaws.com"
				)
			},
			"Action": (
				"kms:DescribeKey"
			),
			"Resource": "*"
		}		
	)
}

I also need to add another policy statement to enable my use case: using AWS managed applications. I’m adding these two policy statements to allow AWS-managed applications and their administrators to use the KMS key. The document lists additional use cases and their respective policies.

{
    "Sid": "Allow_AWS_app_admins_in_the_same_AWS_organization_to_use_the_KMS_key",
    "Effect": "Allow",
    "Principal": "*",
    "Action": (
        "kms:Decrypt"
    ),
    "Resource": "*",
    "Condition": {
        "StringEquals" : {
           "aws:PrincipalOrgID": "MY_ORG_ID (format: o-xxxxxxxx)"
        },
        "StringLike": {
            "kms:ViaService": (
                "sso.*.amazonaws.com", "identitystore.*.amazonaws.com"
            )
        }
    }
},
{
   "Sid": "Allow_managed_apps_to_use_the_KMS_Key",
   "Effect": "Allow",
   "Principal": "*",
   "Action": (
      "kms:Decrypt"
    ),
   "Resource": "*",
   "Condition": {
      "Bool": { "aws:PrincipalIsAWSService": "true" },
      "StringLike": {
         "kms:ViaService": (
             "sso.*.amazonaws.com", "identitystore.*.amazonaws.com"
         )
      },
      "StringEquals": { "aws:SourceOrgID": "MY_ORG_ID (format: o-xxxxxxxx)" }
   }
}

You can further limit the use of the key to a specific Identity Center instance, a specific application instance, or a specific application manager. The documentation includes examples of advanced key policies for your use cases.

To protect against IAM role name changes when permission sets are recreated, use the approach described in the custom trust policy example.

Part 2: Update the IAM policy to use a KMS key from another AWS account

Any IAM object that uses Identity Center APIs from another AWS account, such as Identity Center Delegated Administrators and AWS Application Administrators, needs an IAM policy statement that allows the KMS key to be used through these APIs.

I grant permission to access the key by creating a new policy and attaching the policy to the IAM role relevant to my use case. You can also add these commands to existing IAM role identity-based policies.

To do this, after creating the key, I find its ARN and replace it key_ARNin the template below. I then attach the policy to the Managed Application Manager IAM instance. The documentation also covers IAM policies that grant delegated Identity Center administrators permission to access the key.

Here’s an example for managed application administrators:

{
      "Sid": "Allow_app_admins_to_use_the_KMS_key_via_IdentityCenter_and_IdentityStore",
      "Effect": "Allow",
      "Action": 
        "kms:Decrypt",
      "Resource": "",
      "Condition": {
        "StringLike": {
          "kms:ViaService": (
            "sso.*.amazonaws.com",
            "identitystore.*.amazonaws.com"
          )
        }
      }
    }

The documentation shares an IAM policy template for the most common use cases.

Part 3: Configuring IAM Identity Center to use the key

I can configure a CMK either during the activation of an Identity Center organization instance or on an existing instance, and I can change the encryption configuration at any time by switching between CMKs or reverting to AWS-owned keys.

Please note that misconfiguring KMS key permissions can disrupt Identity Center operations and access to AWS-managed applications and accounts through Identity Center. Proceed with caution to this last step and make sure you read and understand the documentation.

After I have created and configured my CMK, I can select it under Advanced configuration when activating the Identity Center.

IDC with CMK configuration

To configure the CMK on an existing Identity Center instance using the AWS Management Console, I start by going to the Identity Center section of the AWS Management Console. I choose from there Settings from the navigation bar, then select Management tab and select Encryption management in Key to encrypt IAM Identity Center data at rest section.

Change the key on the existing IDC

I can choose a different CMK from the same AWS account or switch back to an AWS-managed key at any time.

After selection Imposethe key change process takes a few seconds. All service functionality continues without interruption during the transition. If, for any reason, Identity Center cannot access the new key, an error message will be returned and Identity Center will continue to use the current key, while your identity data will be encrypted using the mechanism by which it is already encrypted.

CMK to IDC, select new key

Things to keep in mind
The encryption key you create will become a key part of your Identity Center. When you choose to use your own managed key to encrypt identity attributes at rest, you must verify the following points.

  • Have you configured the necessary permissions to use the KMS key? Without proper permissions, CMK authorization can fail or disrupt IAM Identity Center management and AWS managed applications.
  • Have you verified that your AWS managed applications are compatible with CMKs? For a list of compatible applications, see AWS managed applications that you can use with IAM Identity Center. Enabling the CMK for Identity Center that uses CMK-incompatible AWS-managed applications will disrupt the operation of those applications. If you have incompatible apps, do not continue.
  • Does your organization use AWS-managed applications that require additional IAM role configuration to use the Identity Center and Identity Store APIs? For any such AWS managed application that is already deployed, refer to the managed application’s user guide for updated KMS key permissions for IAM Identity Center use and update them as directed to prevent application compromise.
  • For brevity, the KMS key policy statements in this post omit the encryption context, allowing you to limit the use of the KMS key to Identity Center including a specific instance. For your production scenarios, you can add a condition for Identity Center like this: 
    "Condition": {
   "StringLike": {
      "kms:EncryptionContext:aws:sso:instance-arn": "${identity_center_arn}",
      "kms:ViaService": "sso.*.amazonaws.com"
    }
}

    or this for the Identity Store:

    "Condition": {
   "StringLike": {
      "kms:EncryptionContext:aws:identitystore:identitystore-arn": "${identity_store_arn}",
      "kms:ViaService": "identitystore.*.amazonaws.com"
    }
}

Price and availability
Standard AWS KMS fees apply for key storage and API usage. Identity Center remains available at no additional charge.

This feature is now available in all AWS Commercial Regions, AWS GovCloud (US), and AWS China Regions. For more information, see the IAM Identity Center User Guide.

We look forward to hearing how you use this new feature to meet your security and compliance requirements.

— self

Leave a Comment