IAM users should not have IAM inline policies that allow decryption actions on all KMS keys

iam
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

This control examines whether your IAM User inline policies allow AWS KMS decryption actions on all KMS resources. The control will fail if the policy allows any of the following actions on all KMS keys:

  • kms:*
  • kms:Decrypt
  • kms:ReEncryptFrom

The control specifically checks the Resource element of the policy and does not consider any conditions specified in the Condition element.

To enhance security, instead of granting permissions for all KMS keys, identify the specific keys that principals need to access encrypted data. Design policies to restrict user permissions to only those keys. For example, instead of allowing kms:Decrypt on all KMS keys, grant this permission only for keys in a particular region relevant to your account. Applying the principle of least privilege helps reduce the risk of unintentional data exposure.

Remediation

See the IAM Policies and Wildcards and Editing inline policies documentation for steps on how to identify and rectify policies that contain overly permissive KMS permissions.

PREVIEWING: may/unit-testing