aws_compliance

AWS Compliance

Checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on AWS KMS keys. The rule is non - compliant if any blocked action is allowed on AWS KMS keys by the managed IAM policy.

iam_policy_custom_no_blocked_kms_actions

gxp_21_cfr_part_11_11_10_d

11.10(d) Limiting system access to authorized individuals

gxp_21_cfr_part_11_11_10_g

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv

164.312(a)(2)(iv) Encryption and decryption

hipaa_security_rule_2003_164_312_a_2_iv

nist_800_171_rev_2_3_1_4

3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion

nist_800_171_rev_2_3_1_5

3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts

pci_dss_v321_requirement_3_5_2

3.5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary

pci_dss_v321_requirement_3_6_4

3.6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines

pci_dss_v321_requirement_3_6_4_a

3.6.4.a Verify that key-management procedures include a defined cryptoperiod for each key type in use and define a process for key changes at the end of the defined cryptoperiod(s)

fedramp_moderate_rev_4_ac_2_j

AC-2(j)

fedramp_moderate_rev_4_ac_5_c

AC-5(c)

fedramp_low_rev_4_ac_2

Account Management (AC-2)

ffiec_d_3_pc_am_b_1

D3.PC.Am.B.1

all_controls_iam

nist_csf_pr_ac_1

PR.AC-1

nist_csf_pr_ac_4

PR.AC-4

Ensure managed IAM policies should not allow blocked actions on KMS keys

Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, FFIEC, PCI, NIST, HIPAA, RBI CSF, GDPR, SOC 2, Audit Manager Control Tower, FedRAMP, GxP and AWS Foundational Security Best Practices controls across all your AWS accounts using Powerpipe and Steampipe.

Apache License 2.0

steampipe-mod-aws-compliance

Control: Ensure managed IAM policies should not allow blocked actions on KMS keys

Description

Usage

SQL

Tags