🛡️ AWS IAM Customer Managed Policy allows KMS decryption actions on all KMS keys🟢

• Contextual name: 🛡️ Customer Managed Policy allows KMS decryption actions on all KMS keys🟢
• ID: /ce/ca/aws/iam/customer-managed-policy-allows-kms-decrypt-on-all-keys
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS IAM Policy
  • 🔌 AWS IAM Policy - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys

Description

Open File

Description

This policy checks whether a customer managed IAM policy allows KMS decryption actions on all AWS KMS keys.

Rationale

Customer managed IAM policies should follow least privilege and grant access only to the KMS keys that a workload, service, or user explicitly requires.

If a customer managed policy allows kms:Decrypt, kms:ReEncryptFrom, or broader KMS decryption-related actions against * or wildcard KMS key ARNs, any principal that receives the policy can potentially decrypt data protected by keys outside its intended boundary. This increases the blast radius of credential misuse, policy misassignment, and privilege escalation.

Impact

Restricting wildcard KMS access can require updates to applications, automation, or delegated administration workflows that currently rely on broad permissions. Before tightening the policy, identify the exact KMS keys each intended principal must use and validate the updated access in a non-production environment when possible.

Audit

This policy flags an AWS IAM Policy as INCOMPLIANT when all of the following are true:

... see more

Remediation

Open File

Remediation

Restrict KMS key scope

Perform the following to update the customer managed IAM policy by replacing wildcard KMS resources with the specific KMS key ARNs that should be allowed and, where possible, narrowing broad KMS actions.

From Command Line

1. Identify the policy and its default version:

   aws iam get-policy \
       --policy-arn {{policy-arn}}

2. Retrieve the current policy document:

   aws iam get-policy-version \
       --policy-arn {{policy-arn}} \
       --version-id {{default-version-id}}

3. Update the policy document so that KMS decryption permissions are limited to the specific KMS key ARNs that are required.

4. Create a new policy version and set it as the default:

   aws iam create-policy-version \
       --policy-arn {{policy-arn}} \
       --policy-document file://policy.json \
       --set-as-default

5. If the policy already has five versions, delete an older non-default version and then create the new version:

   aws iam delete-policy-version \

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys			1		no data
💼 Cloudaware Framework → 💼 Role-Based Access Control (RBAC) Management			28		no data
💼 FedRAMP High Security Controls → 💼 AC-2 Account Management (L)(M)(H)	10	8	58		no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			32		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	89		no data
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			22		no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	85		no data
💼 FedRAMP High Security Controls → 💼 AC-6(3) Network Access to Privileged Commands (H)		1	6		no data
💼 FedRAMP Low Security Controls → 💼 AC-2 Account Management (L)(M)(H)			9		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			89		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2 Account Management (L)(M)(H)	9		58		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			32		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			89		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			22		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		85		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			105		no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			47		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			138		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			190		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			128		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management	13	20	57		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	32		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	65		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			36		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			27		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			22		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	78		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(3) Least Privilege _ Network Access to Privileged Commands			6		no data