TABLE OF CONTENTS
Tags: aws, s3, security, kms, encryption
Overview
By default Kublr sets up AWS Kubernetes clusters with an S3 bucket as the secret exchange store.
The bucket is private - only master and worker nodes can access it - but it is not encrypted by default.
Kublr supports KMS key encryption for the cluster secret store S3 bucket.
Implementation plan:
- Create or ensure a KMS key (default AWS account KMS EBS key may be used)
- Configure the key permissions to allow use by Kublr and by AWS S3 service clients
- Configure Kublr cluster to use the KMS key
Additional references:
- AWS CloudFormation S3 Bucket Encryption Properties
- S3 cross-account access denied troubleshooting
- KMS encrypted S3 bucket access configuration
KMS Key Configuration
The KMS key policy should allow the key use by Kublr and by AWS S3 service clients.
While there are multiple ways of achieving this, this document describes one method that requires the least configuration when creating multiple clusters; refer to AWS documentation for more details on various options available to customize this approach.
After the key is created, the following additional policies and permissions should be configured for the key:
- permission for Kublr IAM account to use the key
- permission for S3 service clients to use the key
KMS Key Policy - Kublr IAM account permissions
The following snippet shows a policy statement that should be added to the KMS key policy to allow Kublr IAM account to use the key:
NB! put correct AWS account ID and the IAM user name in the statement
{ "Version": "2012-10-17", "Statement": [ ... { "Sid": "Allow use of the key by Kublr", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:user/<kublr-iam-user-name>" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, ... ] }
KMS Key Policy - S3 service clients permissions
The following snippet shows a policy statement that should be added to the KMS key policy to allow AWS S3 service clients to access the key:
NB! put correct AWS account ID and the region in the statement
{ "Version": "2012-10-17", "Statement": [ ... { "Sid": "Allow access through S3 for all principals in the account that are authorized to use S3", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:CallerAccount": "<aws-account-id>", "kms:ViaService": "s3.<region>.amazonaws.com" } } }, ... ] }
Kublr cluster configuration
The following cluster specification snippet shows cluster specification properties related to encrypted S3 bucket use:
spec: secretStore: awsS3: secretExchangeBucketCloudFormationExtras: Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' # if KMSMasterKeyID is not specified, account default key will be used KMSMasterKeyID: '1234abcd-12ab-34cd-56ef-1234567890ab' # Key ID or ARN can be used # KMSMasterKeyID: 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'