As an extra security policy we want to add an explicit deny on the kms:CreateGrant action for our CMK used for Spice encryption. However we don’t succeed in allowing QuickSight and denying everything else.
When a CMK has been added as the default key for Spice Encryption, having this policy
KMS_CMK_CREATE_GRANT_ACCESS_DENIED
sourceErrorMessage:
Access denied when trying to create grant on arn:aws:kms:eu-west-1:<redacted_account_id>:key/<redacted_key_id>. Probably customer already revoked account level grant, or explicitly denied QuickSight in this key.
QuickSight is thus not able to createGrants with this deny policy. I therefore think that the CreateGrant action uses another ViaService url than the one specified. I also tried other service urls like “quicksight.eu-west-1.amazonaws.com”. So maybe even other URL’s are used? Or do I need to use another kms condition than ViaService which can be used to single out QuickSight usage?
I think the issue is that you are saying deny everything while also not giving explicit permission to QuickSight. I think you should try the opposite and explicitly deny services and provide permission to QuickSight.
I would follow the example laid out in the documentation:
The statement I shared in my post only contained the deny statement, however I also have statements that allow certain roles in my project to perform kms actions. The role I use for my admin actions related to QuickSight does have quicksight:* and kms:* permissions. Therefor I am also able to change the default spice KMS key to my CMK (when the explicit deny contains an exception for my role of course). The issue I am facing is that from that moment QuickSight itself is creating grants (using its grant) everytime a new dataset is created. It are those events I want to single out and add as an exception to the deny, but I cannot seem to define any condition in the policy that fits only those creategrants.
If you are hitting constraints when it comes to permissions that are not defined in the documentation I would recommend creating an aws support ticket. This way they can look at your set up with you to better diagnose the issue.
Here are the steps to open a support case. If your company has someone who manages your AWS account, you might not have direct access to AWS Support and will need to raise an internal ticket to your IT team or whomever manages your AWS account. They should be able to open an AWS Support case on your behalf.