anjuna-nitro-kms-policy

anjuna-nitro-kms-policy <show|allow|revoke> --cmk <cmk-arn-value> [OPTIONS...]

View, add, update, and delete attestation values in an existing KMS policy.

anjuna-nitro-kms-policy is intended to simplify the process of editing KMS policies in exploratory, testing, "proof of concept", and demonstration scenarios only. It is not currently recommended to use this tool to manage KMS policies in a production or other security critical context.

Updating an AWS KMS policy to manage access to a key from an enclave, based on the enclave measurement, can be complex and error-prone as it requires making the correct change in the policy text, which can be a time consuming process.

The anjuna-nitro-kms-policy utility provides a simple way to perform enclave-related modifications to a KMS policy from the command line.

At the current time, the only value that can be added or revoked is the enclave measurement - PCR0. To learn how to view the PCR values of an Enclave Image File, see anjuna-nitro-cli describe-eif. Anjuna may support more enclave attributes in the future.

The flow of the anjuna-nitro-kms-policy tool

The anjuna-nitro-kms-policy tool searches for the first statement in the policy that matches all of these requirements:

  • "Effect" must be set to "Allow"

  • "Principal" must be the AWS EC2 IAM role assigned to the AWS Nitro parent EC2 instance, as a string

  • "Action" must include (non-exclusively) kms:Decrypt

  • "Condition" must exist and have a "StringEqualsIgnoreCase" operator

  • The "Condition" operator’s key must be "kms:RecipientAttestation:PCR0"

When executing anjuna-nitro-kms-policy allow, and if no matching statement exists, the tool appends a new statement to the policy matching the above parameters.

When executing anjuna-nitro-kms-policy revoke, and if no matching statement exists, the command will fail.

Arguments

Usage

anjuna-nitro-kms-policy <show|allow|revoke> --cmk <cmk-arn-value>

The following commands declare the action taken on the KMS policy:

show

Prints the policy of a KMS CMK to standard output

allow

Grants access to the specified KMS CMK key policy

revoke

Revokes access from the specified KMS CMK policy

Options

Usage

anjuna-nitro-kms-policy <show|allow|revoke> --cmk <cmk-arn-value>

--cmk

The ARN value of a KMS CMK

It can be the direct ARN or an alias ARN.

--role

The ARN value of the EC2 IAM role assigned to the AWS Nitro parent EC2 instance

--pcr0

The PCR0 measurement value of the enclave which was provided when the enclave was built

Global options

The following options are available for all commands.

Global options

-h, --help

Prints the help information for the command

-v, --version

Prints version information

Exit status

  • 0 on success

  • 1 on error

Examples

To print the existing policy:

$ anjuna-nitro-kms-policy show --cmk arn:aws:kms:us-east-2:0123456789012:alias/nitro-key | jq -r '.Statement[].Condition'
{
  "StringEqualsIgnoreCase": {
    "kms:RecipientAttestation:PCR0": [
      "42529fde5d2a37ac5a0120671941c1bc494c5706cfc279bd85131f65869bb82a5cffaa52525deab25bba8bd6e31d9f82",
      "f666e2eb6a5d999181e0a6bdb00fa60ac11717b7272fe8d010b50666f84945daeb8c4716b05cf4ed59ecd167af54f78b"
    ]
  }
}

To allow a PCR0 value in an AWS KMS key policy:

$ anjuna-nitro-kms-policy allow \
      --cmk arn:aws:kms:us-east-2:0123456789012:key/ea12c491-430c-4e69-85b1-be987379aa6c \
      --role arn:aws:iam::0123456789012:role/nitro_instance_role \
      --pcr0 f666e2eb6a5d999181e0a6bdb00fa60ac11717b7272fe8d010b50666f84945daeb8c4716b05cf4ed59ecd167af54f78b

To revoke a PCR0 value from an AWS KMS key policy:

$ anjuna-nitro-kms-policy revoke \
      --cmk arn:aws:kms:us-east-2:0123456789012:key/ea12c491-430c-4e69-85b1-be987379aa6c \
      --role arn:aws:iam::0123456789012:role/nitro_instance_role \
      --pcr0 42529fde5d2a37ac5a0120671941c1bc494c5706cfc279bd85131f65869bb82a5cffaa52525deab25bba8bd6e31d9f82