Benchmark: 3.5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary
Description
There should be very few who have access to cryptographic keys (reducing the potential for rending cardholder data visible by unauthorized parties), usually only those who have key custodian responsibilities.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 3.5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_3_5_2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_3_5_2 --shareControls
- Ensure managed IAM policies should not allow blocked actions on KMS keys
- Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys