Control: KMS key decryption should be restricted in IAM customer managed policy
Description
Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.kms_key_decryption_restricted_in_iam_customer_managed_policySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.kms_key_decryption_restricted_in_iam_customer_managed_policy --shareSQL
This control uses a named query:
with policy_with_decrypt_grant as ( select distinct arn from aws_iam_policy, jsonb_array_elements(policy_std -> 'Statement') as statement where not is_aws_managed and statement ->> 'Effect' = 'Allow' and statement -> 'Resource' ?| array['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] and statement -> 'Action' ?| array['*', 'kms:*', 'kms:decrypt', 'kms:reencryptfrom', 'kms:reencrypt*'])select i.arn as resource, case when d.arn is null then 'ok' else 'alarm' end as status, case when d.arn is null then i.title || ' doesn''t allow decryption actions on all keys.' else i.title || ' allows decryption actions on all keys.' end as reason , i.account_idfrom aws_iam_policy ileft join policy_with_decrypt_grant d on i.arn = d.arnwhere not is_aws_managed;