Can I forbid the KMS "Decrypt" operation outside Nitro enclave?

[raindust]

I have followed the kms tool example doc and decrypt the cipher text successfully, but I can decrypt it outside the Nitro enclave either if I add additional actions (including Decrypt action) within KMS policies when creating the KMS.

Is there a way that we can check if the "Decrypt" action only exists inside the enclave role (if not refuse to use the KMS)? It's important for a Byzantine Fault Tolerance program.

The following is a example KMS policy file that worked for the kms tool example doc with debug mode but can Decrypt outside the enclave:

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::000000000000:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::000000000000:role/KMS-admin"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Enable decrypt from enclave",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::000000000000:role/KMS-test"
            },
            "Action": "kms:Decrypt",
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:RecipientAttestation:ImageSha384": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
                }
            }
        },
        {
            "Sid": "Enable encrypt from instance",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::580177110170:role/KMS-test"
            },
            "Action": "kms:Encrypt",
            "Resource": "*"
        }
    ]
}

[alcioa]

In production mode, the enclave PCR values are in the attestation document. When using this SDK for decrypting inside the enclave, a keypair is also generated and the public part is sent to the attestation endpoint. There you have the validation based on the enclave measurements against your policy. After that, the response is encrypted and sent back and can only be decrypted by the enclave.

Even if the instance has access to the PCRs and the attestation document (which are no secret), it cannot decrypt the response that was meant for the enclave. See https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html