
cloudonaut
#085 Losing trust in KMS
Feb 1, 2024
Andreas and Michael are losing trust in KMS due to a key policy privilege escalation. They discuss the limitations of AWS Management Console and the potential integration with AWS Marketplace solutions. Additionally, they highlight AWS news, including support for reserved capacity in CodeBuild and new encryption mechanisms for containers in AWS.
32:40
Episode guests
AI Summary
AI Chapters
Episode notes
Podcast summary created with Snipd AI
Quick takeaways
- KMS key policy privilege escalation raises concerns about the trustworthiness of AWS's encryption service.
- Limited ability to customize the UI hinders developers and partners from creating a more personalized user experience on AWS.
Deep dives
Key Policy and Access Control in AWS KMS
AWS KMS offers two types of keys: customer managed keys and built-in default keys. The main difference is that customer managed keys allow for changeable key policies, granting more control. However, if changes to the key policy are made and access is accidentally locked out, recovering from a key policy issue can be problematic. There is no built-in recovery mechanism like there is for deleting keys. Additionally, it has been discovered that modifying the key policy can grant unauthorized access, highlighting potential risks and concerns. This raises questions about the effectiveness and trustworthiness of KMS as an encryption service.
Remember Everything You Learn from Podcasts
Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.