Remediation

Restrict KMS key scope

Perform the following to update the customer managed IAM policy by replacing wildcard KMS resources with the specific KMS key ARNs that should be allowed and, where possible, narrowing broad KMS actions.

From Command Line

Identify the policy and its default version:

aws iam get-policy \
    --policy-arn {{policy-arn}}

Retrieve the current policy document:

aws iam get-policy-version \
    --policy-arn {{policy-arn}} \
    --version-id {{default-version-id}}

Update the policy document so that KMS decryption permissions are limited to the specific KMS key ARNs that are required.

Create a new policy version and set it as the default:

aws iam create-policy-version \
    --policy-arn {{policy-arn}} \
    --policy-document file://policy.json \
    --set-as-default

If the policy already has five versions, delete an older non-default version and then create the new version:
```
aws iam delete-policy-version \
--policy-arn {{policy-arn}} \
--version-id {{version-id}}
```

Notes

Grant kms:Decrypt and kms:ReEncryptFrom only for the KMS keys that the policy should allow.

Where possible, also narrow the allowed actions so the policy does not rely on broad permissions such as kms:* or kms:ReEncrypt*.

Restrict KMS key scope​

From Command Line​

Notes​

Restrict KMS key scope

From Command Line

Notes