1
00:00:00,300 --> 00:00:02,490
‫So now let's talk about KMS Key Policies

2
00:00:02,490 --> 00:00:04,050
‫and I wanna give you a few examples.

3
00:00:04,050 --> 00:00:07,170
‫So we know that a Key Policy is used to define

4
00:00:07,170 --> 00:00:09,654
‫who has access to your KMS Key.

5
00:00:09,654 --> 00:00:13,080
‫And the default KMS Key Policy that you create

6
00:00:13,080 --> 00:00:18,080
‫through the AWS Console allows anyone within your account

7
00:00:18,138 --> 00:00:20,310
‫to access your KMS Key,

8
00:00:20,310 --> 00:00:23,970
‫as long as they have the proper IAM permissions.

9
00:00:23,970 --> 00:00:25,500
‫So this is a special one.

10
00:00:25,500 --> 00:00:30,330
‫And if you wanted to explicitly authorize a specific user,

11
00:00:30,330 --> 00:00:32,280
‫it could be whatever user, it could be a user,

12
00:00:32,280 --> 00:00:35,760
‫an IAM role, it could be a federated user, for example,

13
00:00:35,760 --> 00:00:38,670
‫as you can see in this example on the right-hand side.

14
00:00:38,670 --> 00:00:42,300
‫You could, for example, allow which KMS actions you want,

15
00:00:42,300 --> 00:00:44,574
‫such as encrypt, decrypt, et cetera, et cetera.

16
00:00:44,574 --> 00:00:47,373
‫And then you explicitly outline the principle.

17
00:00:47,373 --> 00:00:50,010
‫In that case, the federated user

18
00:00:50,010 --> 00:00:52,220
‫in this example, does not need, additionally,

19
00:00:52,220 --> 00:00:55,412
‫an extra IAM policy to use your KMS key

20
00:00:55,412 --> 00:00:59,644
‫because it's been explicitly allowed in the KMS key policy.

21
00:00:59,644 --> 00:01:03,706
‫So what kind of principles can we explicitly allow

22
00:01:03,706 --> 00:01:06,693
‫in KMS key policies, but also in anything IAM?

23
00:01:06,693 --> 00:01:10,106
‫Well, we have the account and the root user.

24
00:01:10,106 --> 00:01:12,540
‫So when you define something like this,

25
00:01:12,540 --> 00:01:15,570
‫such as principle AWS and the new account number,

26
00:01:15,570 --> 00:01:17,610
‫or the account number, and then route,

27
00:01:17,610 --> 00:01:21,750
‫you allow every principle within the accounts, okay?

28
00:01:21,750 --> 00:01:24,360
‫And then IAM policies kick in.

29
00:01:24,360 --> 00:01:27,420
‫Next, you can authorize a specific IAM role

30
00:01:27,420 --> 00:01:30,720
‫by outlining the role arn directly

31
00:01:30,720 --> 00:01:32,400
‫in the principle statements.

32
00:01:32,400 --> 00:01:33,710
‫You have IAM role sessions,

33
00:01:33,710 --> 00:01:36,180
‫so this is when you have an assumed role,

34
00:01:36,180 --> 00:01:39,030
‫or when you have an assumed identity through Federation.

35
00:01:39,030 --> 00:01:42,977
‫For example, for Cognito identity or SAML.

36
00:01:42,977 --> 00:01:47,370
‫You also have AIM users when you outline a specific user

37
00:01:47,370 --> 00:01:49,496
‫in your accounts, or of course, in other accounts.

38
00:01:49,496 --> 00:01:51,575
‫You have federated user sessions.

39
00:01:51,575 --> 00:01:53,700
‫This is what we've seen before.

40
00:01:53,700 --> 00:01:56,310
‫So when you have user federation in AWS,

41
00:01:56,310 --> 00:01:59,376
‫you can specify a specific federated user,

42
00:01:59,376 --> 00:02:02,730
‫and then you can also allow a specific service.

43
00:02:02,730 --> 00:02:04,110
‫So you can see the principle now

44
00:02:04,110 --> 00:02:06,540
‫has a service to allow specific services

45
00:02:06,540 --> 00:02:08,220
‫to use your KMS key.

46
00:02:08,220 --> 00:02:10,890
‫Or if you wanted to allow everything and everyone,

47
00:02:10,890 --> 00:02:14,550
‫you can just use a Star or AWS star.

48
00:02:14,550 --> 00:02:16,290
‫Okay, so let's see for this lecture.

49
00:02:16,290 --> 00:02:19,443
‫I hope you liked it and I will see you in the next lecture.