anjuna-nitro-kms-policy

View, add, update, and delete attestation values in an existing KMS policy.

SYNOPSIS

anjuna-nitro-kms-policy <command> [ . . . ]

DESCRIPTION

Updating an AWS KMS policy to manage access to a key from an enclave, based on the enclave measurement can be complex and error-prone as it requires doing the right change in the policy text, which can be quite a long text.

The anjuna-nitro-kms-policy utility is aimed to save that effort and to provide a simple way of performing enclave-related modifications to a KMS policy from the command line.

At the current time, the only value that can be added or revoked is the enclave measurement - PCR0. Anjuna is planning to support more of the enclave attributes in the future.

OPTIONS

Usage:
       anjuna-nitro-kms-policy show --cmk <cmk string>
   or: anjuna-nitro-kms-policy allow --cmk <cmk string> --role <role string> --pcr0 <PCR0 measurement value>
   or: anjuna-nitro-kms-policy revoke --cmk <cmk string> --role <role string> --pcr0 <PCR0 measurement value>
   or: anjuna-nitro-kms-policy --version
   or: anjuna-nitro-kms-policy --help | show --help | allow --help | revoke --help

Available commands:
   show      Print the policy of a KMS CMK to standard output
   allow     Grant access to the specified KMS CMK key policy
   revoke    Revoke access from the specified KMS CMK policy

Available parameters:
   --cmk     The ARN value of a KMS CMK. It can be the direct ARN or an alias ARN
   --role    The ARN value of the EC2 IAM role assigned to the Nitro parent VM
   --pcr0    The PCR0 measurement value of the enclave which was provided when the enclave was built

EXIT STATUS

  • 0 on success

  • 1 on error

The flow of the anjuna-nitro-kms-policy tool

The anjuna-nitro-kms-policy tool searches for the first statement in the policy that matches all of these requirements:

  • "Effect" must be set to "Allow"

  • "Principal" must exclusively be the AWS EC2 IAM role assigned to the nitro parent VM

  • "Action" must include (non-exclusively) kms:Decrypt

  • "Condition" must exist and have a "StringEqualsIgnoreCase" operator

  • The "Condition" operator’s key must be "kms:RecipientAttestation:PCR0"

In the case of the allow command, if no matching statement exists, the tool appends a new statement to the policy matching the above parameters.

In the case of the revoke command, if no matching statement exists, the tool run will fail.

EXAMPLES

Print the existing policy

$ anjuna-nitro-kms-policy show --cmk arn:aws:kms:us-east-2:0123456789012:alias/nitro-key | jq -r '.Statement[].Condition'
{
  "StringEqualsIgnoreCase": {
    "kms:RecipientAttestation:PCR0": [
      "42529fde5d2a37ac5a0120671941c1bc494c5706cfc279bd85131f65869bb82a5cffaa52525deab25bba8bd6e31d9f82",
      "f666e2eb6a5d999181e0a6bdb00fa60ac11717b7272fe8d010b50666f84945daeb8c4716b05cf4ed59ecd167af54f78b"
    ]
  }
}

Allow a PCR0 value in a KMS CMK policy

$ anjuna-nitro-kms-policy allow \
      --cmk arn:aws:kms:us-east-2:0123456789012:key/ea12c491-430c-4e69-85b1-be987379aa6c \
      --role arn:aws:iam::0123456789012:role/nitro_instance_role \
      --pcr0 f666e2eb6a5d999181e0a6bdb00fa60ac11717b7272fe8d010b50666f84945daeb8c4716b05cf4ed59ecd167af54f78b

Revoke a PCR0 value from a KMS CMK policy

$ anjuna-nitro-kms-policy revoke \
      --cmk arn:aws:kms:us-east-2:0123456789012:key/ea12c491-430c-4e69-85b1-be987379aa6c \
      --role arn:aws:iam::0123456789012:role/nitro_instance_role \
      --pcr0 42529fde5d2a37ac5a0120671941c1bc494c5706cfc279bd85131f65869bb82a5cffaa52525deab25bba8bd6e31d9f82