🛡️ AWS IAM Group Inline Policy allows KMS decryption actions on all KMS keys🟢

• Contextual name: 🛡️ Group Inline Policy allows KMS decryption actions on all KMS keys🟢
• ID: /ce/ca/aws/iam/group-inline-policy-allows-kms-decrypt-on-all-keys
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS IAM Group Policy
  • 🔌 AWS IAM Group Policy - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys

Description

Open File

Description

This policy checks whether an IAM group inline policy allows KMS decryption actions on all AWS KMS keys.

Rationale

IAM group inline policies should follow least privilege and grant access only to the KMS keys that group members explicitly require.

If a group inline policy allows kms:Decrypt, kms:ReEncryptFrom, or broader KMS decryption-related actions against * or wildcard KMS key ARNs, every principal that inherits the policy through the group can potentially decrypt data protected by keys outside its intended boundary. This increases the blast radius of policy misconfiguration, privilege escalation, and credential misuse.

Impact

Restricting wildcard KMS access can require updates to shared access models, delegated administration workflows, or legacy group-based permissions that currently rely on broad KMS access. Before tightening the policy, identify the exact KMS keys each group member needs and validate the updated access in a non-production environment when possible.

Audit

This policy flags an AWS IAM Group Policy as INCOMPLIANT when all of the following are true:

... see more

Remediation

Open File

Remediation

Restrict KMS key scope

Perform the following to update the IAM group inline policy by replacing wildcard KMS resources with the specific KMS key ARNs that should be allowed and, where possible, narrowing broad KMS actions.

From Command Line

1. Retrieve the current inline policy document:

   aws iam get-group-policy \
       --group-name {{group-name}} \
       --policy-name {{policy-name}}

2. Update the policy document so that KMS decryption permissions are limited to only the specific KMS key ARNs that the group requires.

3. Apply the updated inline policy:

   aws iam put-group-policy \
       --group-name {{group-name}} \
       --policy-name {{policy-name}} \
       --policy-document file://policy.json

Notes

Grant kms:Decrypt and kms:ReEncryptFrom only for the KMS keys that the group inline policy should allow.

Where possible, also narrow the allowed actions so the policy does not rely on broad permissions such as kms:* or kms:ReEncrypt*.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys			3		no data
💼 Cloudaware Framework → 💼 Role-Based Access Control (RBAC) Management			28		no data
💼 FedRAMP High Security Controls → 💼 AC-2 Account Management (L)(M)(H)	10	8	58		no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			32		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	89		no data
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			22		no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	85		no data
💼 FedRAMP High Security Controls → 💼 AC-6(3) Network Access to Privileged Commands (H)		1	6		no data
💼 FedRAMP Low Security Controls → 💼 AC-2 Account Management (L)(M)(H)			9		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			89		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2 Account Management (L)(M)(H)	9		58		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			32		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			89		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			22		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		85		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			105		no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			47		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			138		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			190		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			128		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management	13	20	57		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	32		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	65		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			36		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			27		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			22		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	78		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(3) Least Privilege _ Network Access to Privileged Commands			6		no data