Example request: Best practice KMS usage for vault in AWS #233

queglay · 2021-03-02T01:13:50Z

I've been looking into how to provide appropriate controls on the KMS key used to auto unseal vault. It seems like a difficult topic though, and hard to know the best route. It would be great to have some kind of example on what would be best practice. Some of my questions on the way forward were:

Should it be restricted based on the iam profile of the instance? Perhaps not possible since that name is dynamically generated when this repo is deployed.
Should it be restricted by the VPC? https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html#vpce-policy
Or are there other methods to consider?

brikis98 · 2021-03-10T10:38:13Z

As always, the answer is, "it depends," but I think the standard approach would be to attach an IAM role to whatever servers / containers are running Vault, and in your KMS key policy, to grant that IAM role (via it's static ARN) the permissions it needs.

queglay · 2021-03-10T11:28:38Z

Ahh of course thanks for the advice @brikis98 !

brikis98 added the question label Mar 10, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Example request: Best practice KMS usage for vault in AWS #233

Example request: Best practice KMS usage for vault in AWS #233

queglay commented Mar 2, 2021

brikis98 commented Mar 10, 2021

queglay commented Mar 10, 2021

Example request: Best practice KMS usage for vault in AWS #233

Example request: Best practice KMS usage for vault in AWS #233

Comments

queglay commented Mar 2, 2021

brikis98 commented Mar 10, 2021

queglay commented Mar 10, 2021