Control: 1 IAM customer managed policies should not allow decryption actions on all KMS keys
Description
Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts.
This control fails if the kms:Decrypt
or kms:ReEncryptFrom
actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.
With AWS KMS, you control who can use your customer master keys (CMKs) and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the kms:Decrypt
or kms:ReEncryptFrom
permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.
Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow kms:Decrypt
permission on all KMS keys. Instead, allow kms:Decrypt
only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.
Remediation
To remediate this issue, you modify the IAM customer managed policies to restrict access to the keys.
To modify an IAM customer managed policy
- Open the IAM console.
- In the IAM navigation pane, choose
Policies
. - Choose the arrow next to the policy you want to modify.
- Choose
Edit policy
. - Choose the
JSON
tab. - Change the “Resource” value to the specific key or keys that you want to allow.
- After you modify the policy, choose
Review policy
. - Choose
Save changes
.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_kms_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_kms_1 --share
SQL
This control uses a named query:
kms_key_decryption_restricted_in_iam_customer_managed_policy