anjuna-nitro-kms-policy
View, add, update, and delete attestation values in an existing KMS policy.
DESCRIPTION
Updating an AWS KMS policy to manage access to a key from an enclave, based on the enclave measurement can be complex and error-prone as it requires doing the right change in the policy text, which can be quite a long text.
The anjuna-nitro-kms-policy utility is aimed to save that effort and to provide a simple way of performing enclave-related modifications to a KMS policy from the command line.
At the current time, the only value that can be added or revoked is the enclave measurement - PCR0. To learn how to view the PCR values of an Enclave Image File see anjuna-nitro-cli describe-eif. Anjuna is planning to support more of the enclave attributes in the future.
OPTIONS
Usage: anjuna-nitro-kms-policy show --cmk <cmk string> or: anjuna-nitro-kms-policy allow --cmk <cmk string> --role <role string> --pcr0 <PCR0 measurement value> or: anjuna-nitro-kms-policy revoke --cmk <cmk string> --role <role string> --pcr0 <PCR0 measurement value> or: anjuna-nitro-kms-policy --version or: anjuna-nitro-kms-policy --help | show --help | allow --help | revoke --help Available commands: show Print the policy of a KMS CMK to standard output allow Grant access to the specified KMS CMK key policy revoke Revoke access from the specified KMS CMK policy Available parameters: --cmk The ARN value of a KMS CMK. It can be the direct ARN or an alias ARN --role The ARN value of the EC2 IAM role assigned to the Nitro parent VM --pcr0 The PCR0 measurement value of the enclave which was provided when the enclave was built
The flow of the anjuna-nitro-kms-policy tool
The anjuna-nitro-kms-policy tool searches for the first statement in the policy that matches all of these requirements:
-
"Effect" must be set to "Allow"
-
"Principal" must exclusively be the AWS EC2 IAM role assigned to the nitro parent VM
-
"Action" must include (non-exclusively) kms:Decrypt
-
"Condition" must exist and have a "StringEqualsIgnoreCase" operator
-
The "Condition" operator’s key must be "kms:RecipientAttestation:PCR0"
In the case of the allow command, if no matching statement exists, the tool appends a new statement to the policy matching the above parameters.
In the case of the revoke command, if no matching statement exists, the tool run will fail.
EXAMPLES
Print the existing policy
$ anjuna-nitro-kms-policy show --cmk arn:aws:kms:us-east-2:0123456789012:alias/nitro-key | jq -r '.Statement[].Condition' { "StringEqualsIgnoreCase": { "kms:RecipientAttestation:PCR0": [ "42529fde5d2a37ac5a0120671941c1bc494c5706cfc279bd85131f65869bb82a5cffaa52525deab25bba8bd6e31d9f82", "f666e2eb6a5d999181e0a6bdb00fa60ac11717b7272fe8d010b50666f84945daeb8c4716b05cf4ed59ecd167af54f78b" ] } }
Allow a PCR0 value in a KMS CMK policy
$ anjuna-nitro-kms-policy allow \ --cmk arn:aws:kms:us-east-2:0123456789012:key/ea12c491-430c-4e69-85b1-be987379aa6c \ --role arn:aws:iam::0123456789012:role/nitro_instance_role \ --pcr0 f666e2eb6a5d999181e0a6bdb00fa60ac11717b7272fe8d010b50666f84945daeb8c4716b05cf4ed59ecd167af54f78b
Revoke a PCR0 value from a KMS CMK policy
$ anjuna-nitro-kms-policy revoke \ --cmk arn:aws:kms:us-east-2:0123456789012:key/ea12c491-430c-4e69-85b1-be987379aa6c \ --role arn:aws:iam::0123456789012:role/nitro_instance_role \ --pcr0 42529fde5d2a37ac5a0120671941c1bc494c5706cfc279bd85131f65869bb82a5cffaa52525deab25bba8bd6e31d9f82