Description
Hi , We have modified AWS Nitro C SDK to Support Sign operations within Enclave. It works well without attestation document and gives the desired output. But when PCR value is added in KMS policy,
Like below,
{
"Sid": "Enable Enclave access",
"Effect": "Allow",
"Principal": "*",
"Action": [
"kms:Put*",
"kms:Sign"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"kms:RecipientAttestation:ImageSha384": "700d541ae32c8b789a1f266aae221387c6910dc3bdc78cc55b02c2711ce0b08b54156ef45d6c733702d79ed35e59c6fb"
}
}
}
It would end up giving following error.
Got non-200 answer from KMS: 400 - {"__type":"AccessDeniedException","Message":"User: arn:aws:sts::3598780XXXXX:assumed-role/nume-enclave-role/i-0b11f180a81f2fea2 is not authorized to perform: kms:Sign on resource: arn:aws:kms:us-east-1:3598780XXXXX:key/fb506b65-0192-4881-b1d2-8ce98aXXXXX because no resource-based policy allows the kms:Sign action"}
Could the team please add the support for Attestation document check verification for KMS Sign and PutKeyPolicy APIs (at KMS Backend)
We have a use case where we want to securely Sign the message as well as update update KMS policy from enclave.