CResources can communicate with AWS KMS through a VPC private endpoint. A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
aws kms list-keys --endpoint-url <the KMS VPC Endpoint url>
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your acount id>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow for Use only within our VPC",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::<your acount id>:role/KMSWorkshop-InstanceInitRole"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "<the id of the KMS VPC Endpoint>"
}
}
}
]
}