AWS KMS

Automatic Classification for AWS Key Management Service

Veza natively supports AWS Key Management Service (KMS) for all configured AWS accounts. You can use the Authorization Graph to display all Customer Master Keys (CMKs), and view cross-service relationships between IAM roles and policies, KMS keys, and data sources.

Any AWS tags and aliases are automatically extracted when discovering KMS keys. These can be viewed from the entity details, and used to filter search results.

Configuration

As KMS discovery is enabled by default, no additional configuration is required. For more granular control over which AWS data resources are cataloged, you can select specific services for extraction by navigating to Administration > Configurations, and choosing the "edit" option for the AWS account.

In order for a CMK to be discoverable, its Key Policy must have IAM permissions enabled, or grant the Veza AWS IAM principal directly. IAM policies are enabled by the default AWS KMS key policy, by a statement such as:

{
  "Sid": "Enable IAM policies",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:root"
   },
  "Action": "kms:*",
  "Resource": "*"
}

To read authorization metadata for KMS, the IAM policy used by the Veza-AWS connector must include the following statement:

  {
    "Sid": "KMS",
    "Effect": "Allow",
    "Action": [
      "kms:GetKeyPolicy",
      "kms:ListAliases",
      "kms:ListKeyPolicies",
      "kms:ListKeys",
      "kms:ListResourceTags",
      "kms:DescribeKey"
    ],
    "Resource": "*"
  }

PreviousAWS DynamoDB NextAWS RDS MySQL

Last updated 7 months ago