Control: IAM policy should not grant full access to KMS service

Description

KMS is a critical service and IAM policies should follow least privilege model for this service in particular. This control is non-compliant if the managed IAM policy allows full access to KMS service.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.iam_policy_no_full_access_to_kms

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.iam_policy_no_full_access_to_kms --share

SQL

This control uses a named query:

 with kms_full_access_policies as (
  select
    arn,
    count(*) as statements_num
  from
    aws_iam_policy,
    jsonb_array_elements(policy_std -> 'Statement') as s,
    jsonb_array_elements_text(s -> 'Resource') as resource,
    jsonb_array_elements_text(s -> 'Action') as action
  where
    not is_aws_managed
    and s ->> 'Effect' = 'Allow'
    and resource = '*'
    and action = 'kms:*'
  group by
    arn
)
select
  p.arn as resource,
  case
    when w.arn is null then 'ok'
    else 'alarm'
  end status,
  p.name || ' contains ' || coalesce(w.statements_num,0) ||
    ' statements that allow action "*" on at cloudtrail service on resource "*".' as reason
  
  , p.account_id
from
  aws_iam_policy as p
  left join kms_full_access_policies as w on p.arn = w.arn
where
  not p.is_aws_managed;

Control: IAM policy should not grant full access to KMS service

Description

Usage

SQL

Tags