Configuring AWS KMS keys for AWS Support authorization
Key requirements
A customer-managed AWS KMS key is required for cryptographic signing of support permits. Your key must meet the following requirements:
-
Key spec:
ECC_NIST_P384 -
Key usage:
SIGN_VERIFY -
The key must be in the same AWS Region as the support permit.
Your private key material never leaves AWS KMS. You create a grant on your key that allows it to call DescribeKey,
GetPublicKey, and Sign. The grant is scoped to the
support permit and retires when the support permit is deleted or
deactivated.
How AWS Support authorization uses your AWS KMS key
When you create a support permit, your AWS KMS key is used in the following way:
Uses forward access sessions to call
DescribeKeyon your behalf, verifying that the key meets the required spec (ECC_NIST_P384) and usage (SIGN_VERIFY).Creates a grant on the key by calling
CreateGranton your behalf. The grant allowsDescribeKey,GetPublicKey, andSignoperations.Verifies authorization when an AWS Support request matches an existing support permit by using the grant to call
Signon the key. The resulting signature verifies that AWS Support is authorized to perform the action.
Required key policy statements
Add the following policy statements to your AWS KMS key policy. These are the minimum permissions required for AWS Support authorization to use your key.
{ "Sid": "Allows access to CreateGrant through SupportAuthZ", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:role/ExampleRole"}, "Action": ["kms:CreateGrant"], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "supportauthz.us-east-1.amazonaws.com", "kms:GranteeServicePrincipal": "us-east-1.supportauthz.amazonaws.com", "kms:RetiringServicePrincipal": "us-east-1.supportauthz.amazonaws.com" }, "ForAllValues:StringEquals": { "kms:GrantOperations": ["DescribeKey", "GetPublicKey", "Sign"] }, "ArnLike": { "kms:GrantConstraintSourceArn": "arn:aws:supportauthz:us-east-1:111122223333:supportpermit/*" } } }, { "Sid": "Allows access to DescribeKey through SupportAuthZ", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:role/ExampleRole"}, "Action": ["kms:DescribeKey"], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "supportauthz.us-east-1.amazonaws.com" } } }
These statements grant the following permissions:
- CreateGrant
-
Allows the creation of grants for
DescribeKey,GetPublicKey, andSignoperations. The conditions restrict grant creation to requests that are made through the AWS Support authorization service and scoped to support permit resources in your account. AWS Support authorization uses forward access sessions to callCreateGrantas part of creating a support permit. - DescribeKey
-
Allows verification that the key meets the required spec and usage type when you create a support permit using forward access sessions.
Note
Replace 111122223333 with your AWS account ID and
us-east-1 with the AWS Region where you create your support
permits.
Revoking AWS Support authorization access
The recommended way to revoke signing permissions on your key is to revoke the grant. This prevents further signing operations without affecting other uses of the key.
To list and revoke grants for AWS Support authorization:
-
List grants on the key to find the grant ID:
aws kms list-grants \ --key-id 1234abcd-12ab-34cd-56ef-1234567890abIdentify the grant by its name or the
GrantConstraintssource ARN that references your support permit. -
Revoke the grant:
aws kms revoke-grant \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --grant-id grant-id-from-list-grants
After you revoke the grant, new signed authorizations can no longer be issued for any support permit that uses this key. Because the AWS KMS API follows an eventual consistency model, there might be a brief delay before the change is available throughout AWS KMS.
Note
Revoking a grant doesn't delete the associated support permit. The support permit remains in ACTIVE state, but authorizations can't be signed for it. Grants are specific to each support permit. Creating a new support permit with the same AWS KMS key doesn't restore AWS Support authorization's ability to use the key for the original support permit.
Disabling or deleting the key
You can also disable or schedule deletion of the AWS KMS key to prevent AWS Support authorization from issuing signed authorizations. However, this affects all uses of the key, not just AWS Support authorization.
Important
Both AWS KMS and AWS Support authorization are eventually consistent. After you disable or schedule deletion of a key, it can take up to several minutes for the change to take full effect. During this period, signed authorizations might continue to be issued by using the key. Grant revocation is also eventually consistent.
If you disable a key, then you can re-enable it in the AWS KMS console or by calling
EnableKey. If you delete a key, it can't be recovered.
Monitoring key usage
When your AWS KMS key is used to sign an authorization, AWS CloudTrail logs the signing operation in the key's event history. You can use these events to audit when and how often authorizations are signed on your behalf.