anjuna-nitro-kms-policy
anjuna-nitro-kms-policy <show|allow|revoke> --cmk <cmk-arn-value> [OPTIONS...]
View, add, update, and delete attestation values in an existing KMS policy.
|
Without the anjuna-nitro-kms-policy
utility,
updating an AWS KMS policy to manage access to a key from an enclave,
based on the enclave measurement,
can be complex and error-prone.
It requires making the correct change in the policy text,
which can be a time consuming process.
The anjuna-nitro-kms-policy
utility provides a simple way to perform enclave-related modifications
to a KMS policy from the command line.
At the current time, the only value that can be added or revoked is the enclave measurement - PCR0.
To learn how to view the PCR values of an Enclave Image File,
see anjuna-nitro-cli describe-eif
.
Anjuna may support more enclave attributes in the future.
The flow of the anjuna-nitro-kms-policy tool
The anjuna-nitro-kms-policy tool searches for the first statement in the policy that matches all of these requirements:
-
"Effect" must be set to "Allow"
-
"Principal" must be the AWS EC2 IAM role assigned to the AWS Nitro parent EC2 instance, as a string
-
"Action" must include (non-exclusively) kms:Decrypt
-
"Condition" must exist and have a "StringEqualsIgnoreCase" operator
-
The "Condition" operator’s key must be "kms:RecipientAttestation:PCR0"
When executing anjuna-nitro-kms-policy allow
, and if no matching statement exists,
the tool appends a new statement to the policy matching the above parameters.
When executing anjuna-nitro-kms-policy revoke
, and if no matching statement exists,
the command will fail.
Arguments
Examples
To print the existing policy:
$ anjuna-nitro-kms-policy show --cmk arn:aws:kms:us-east-2:0123456789012:alias/nitro-key | jq -r '.Statement[].Condition'
{
"StringEqualsIgnoreCase": {
"kms:RecipientAttestation:PCR0": [
"42529fde5d2a37ac5a0120671941c1bc494c5706cfc279bd85131f65869bb82a5cffaa52525deab25bba8bd6e31d9f82",
"f666e2eb6a5d999181e0a6bdb00fa60ac11717b7272fe8d010b50666f84945daeb8c4716b05cf4ed59ecd167af54f78b"
]
}
}
To allow a PCR0 value in an AWS KMS key policy:
$ anjuna-nitro-kms-policy allow \
--cmk arn:aws:kms:us-east-2:0123456789012:key/ea12c491-430c-4e69-85b1-be987379aa6c \
--role arn:aws:iam::0123456789012:role/nitro_instance_role \
--pcr0 f666e2eb6a5d999181e0a6bdb00fa60ac11717b7272fe8d010b50666f84945daeb8c4716b05cf4ed59ecd167af54f78b
To revoke a PCR0 value from an AWS KMS key policy:
$ anjuna-nitro-kms-policy revoke \
--cmk arn:aws:kms:us-east-2:0123456789012:key/ea12c491-430c-4e69-85b1-be987379aa6c \
--role arn:aws:iam::0123456789012:role/nitro_instance_role \
--pcr0 42529fde5d2a37ac5a0120671941c1bc494c5706cfc279bd85131f65869bb82a5cffaa52525deab25bba8bd6e31d9f82