๐ง AWS IAM User Inline Policy allows KMS decryption actions on all KMS keys - prod.logic.yaml๐ข
- Contextual name: ๐ง prod.logic.yaml๐ข
- ID:
/ce/ca/aws/iam/user-inline-policy-allows-kms-decrypt-on-all-keys/prod.logic.yaml - Tags:
- ๐ข Logic test success
- ๐ข Logic with extracts
- ๐ข Logic with test data
Usesโ
Test Results ๐ขโ
Generated at: 2026-04-25T12:03:17.720388449Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| ๐ข | test1 | โ๏ธ 99 | โ๏ธ isDisappeared(CA10__disappearanceTime__c) | โ๏ธ null |
| ๐ข | test2 | โ๏ธ 101 | โ๏ธ CA10__policyDocument__c.delegatedTo(CA10__policyDocument__c).isEmpty() | โ๏ธ null |
| ๐ข | test3 | โ๏ธ 199 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('type(Statement)') == 'array' && extract('caJsonFrom_policyDocument__c').jsonQueryText('length(Statement[? Effect == \'Allow\' && (((type(Action) == \'array\') && (contains(Action, \'kms:Decrypt\') || contains(Action, \'kms:ReEncryptFrom\') || contains(Action, \'kms:*\') || contains(Action, \'kms:ReEncrypt*\'))) || ((type(Action) == \'string\') && (Action == \'kms:Decrypt\' || Action == \'kms:ReEncryptFrom\' || Action == \'kms:*\' || Action == \'kms:ReEncrypt*\'))) && (((type(Resource) == \'array\') && (contains(Resource, \'*\') || length(Resource[? (starts_with(@, \'arn:aws:kms:\') || starts_with(@, \'arn:*:kms:\')) && contains(@, \':key/*\')]) > 0)) || ((type(Resource) == \'string\') && (Resource == \'*\' || ((starts_with(Resource, \'arn:aws:kms:\') || starts_with(Resource, \'arn:*:kms:\')) && contains(Resource, \':key/*\')))))])') > number(0.0) | โ๏ธ null |
| ๐ข | test4 | โ๏ธ 299 | โ๏ธ extract('caJsonFrom_policyDocument__c').jsonQueryText('(Statement.Effect == \'Allow\') && ((((type(Statement.Action) == \'string\') && (Statement.Action == \'kms:Decrypt\' || Statement.Action == \'kms:ReEncryptFrom\' || Statement.Action == \'kms:*\' || Statement.Action == \'kms:ReEncrypt*\')) || ((type(Statement.Action) == \'array\') && (contains(Statement.Action, \'kms:Decrypt\') || contains(Statement.Action, \'kms:ReEncryptFrom\') || contains(Statement.Action, \'kms:*\') || contains(Statement.Action, \'kms:ReEncrypt*\')))) && (((type(Statement.Resource) == \'string\') && (Statement.Resource == \'*\' || ((starts_with(Statement.Resource, \'arn:aws:kms:\') || starts_with(Statement.Resource, \'arn:*:kms:\')) && contains(Statement.Resource, \':key/*\')))) || ((type(Statement.Resource) == \'array\') && (contains(Statement.Resource, \'*\') || length(Statement.Resource[? (starts_with(@, \'arn:aws:kms:\') || starts_with(@, \'arn:*:kms:\')) && contains(@, \':key/*\')]) > 0))))') == true | โ๏ธ null |
| ๐ข | test5 | โ๏ธ 300 | โ๏ธ otherwise | โ๏ธ null |
Generation Bundleโ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/iam/user-inline-policy-allows-kms-decrypt-on-all-keys/policy.yaml | FF86EB514B8E5987DED4B55AFA907966 |
| Open | /ce/ca/aws/iam/user-inline-policy-allows-kms-decrypt-on-all-keys/prod.logic.yaml | 17B3B802624E2EE866021A39BEDE0C34 |
| Open | /ce/ca/aws/iam/user-inline-policy-allows-kms-decrypt-on-all-keys/test-data.json | 8DD39649A7447CB7CB37FCF16DD3968B |
| Open | /types/CA10__CaAwsUserPolicy__c/object.extracts.yaml | C8DDEAE5AB42BDF9107A1D6D6F0A9276 |
Available Commandsโ
repo-manager policies generate FULL /ce/ca/aws/iam/user-inline-policy-allows-kms-decrypt-on-all-keys/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/iam/user-inline-policy-allows-kms-decrypt-on-all-keys/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/iam/user-inline-policy-allows-kms-decrypt-on-all-keys/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/iam/user-inline-policy-allows-kms-decrypt-on-all-keys/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/iam/user-inline-policy-allows-kms-decrypt-on-all-keys/prod.logic.yaml
Contentโ
---
inputType: "CA10__CaAwsUserPolicy__c"
testData:
- file: "test-data.json"
importExtracts:
- file: "/types/CA10__CaAwsUserPolicy__c/object.extracts.yaml"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "This IAM user inline policy allows KMS decryption actions on all KMS keys."
remediationMessage: "Restrict KMS decryption permissions to only the specific KMS keys that the user inline policy should allow."
check:
AND:
args:
# Handle policies where Statement is an array. We count only statements
# that combine Allow + decrypt-related KMS action + wildcard KMS key scope.
# Wildcard scope includes Resource == '*' and KMS key ARNs ending with ':key/*'.
- IS_EQUAL:
left:
JSON_QUERY_TEXT:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "type(Statement)"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return text type."
right:
TEXT: "array"
- GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "length(Statement[? Effect == 'Allow' && (((type(Action) == 'array') && (contains(Action, 'kms:Decrypt') || contains(Action, 'kms:ReEncryptFrom') || contains(Action, 'kms:*') || contains(Action, 'kms:ReEncrypt*'))) || ((type(Action) == 'string') && (Action == 'kms:Decrypt' || Action == 'kms:ReEncryptFrom' || Action == 'kms:*' || Action == 'kms:ReEncrypt*'))) && (((type(Resource) == 'array') && (contains(Resource, '*') || length(Resource[? (starts_with(@, 'arn:aws:kms:') || starts_with(@, 'arn:*:kms:')) && contains(@, ':key/*')]) > `0`)) || ((type(Resource) == 'string') && (Resource == '*' || ((starts_with(Resource, 'arn:aws:kms:') || starts_with(Resource, 'arn:*:kms:')) && contains(Resource, ':key/*')))))])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return number type."
right:
NUMBER: 0.0
- status: "INCOMPLIANT"
currentStateMessage: "This IAM user inline policy allows KMS decryption actions on all KMS keys."
remediationMessage: "Restrict KMS decryption permissions to only the specific KMS keys that the user inline policy should allow."
check:
# Handle policies where Statement is a single object instead of an array.
# The expression verifies the same three requirements in one statement:
# Allow effect, decrypt-related KMS action, and wildcard KMS key scope.
# Wildcard scope includes Resource == '*' and KMS key ARNs ending with ':key/*'.
IS_EQUAL:
left:
JSON_QUERY_BOOLEAN:
arg:
EXTRACT: "caJsonFrom_policyDocument__c"
expression: "(Statement.Effect == 'Allow') && ((((type(Statement.Action) == 'string') && (Statement.Action == 'kms:Decrypt' || Statement.Action == 'kms:ReEncryptFrom' || Statement.Action == 'kms:*' || Statement.Action == 'kms:ReEncrypt*')) || ((type(Statement.Action) == 'array') && (contains(Statement.Action, 'kms:Decrypt') || contains(Statement.Action, 'kms:ReEncryptFrom') || contains(Statement.Action, 'kms:*') || contains(Statement.Action, 'kms:ReEncrypt*')))) && (((type(Statement.Resource) == 'string') && (Statement.Resource == '*' || ((starts_with(Statement.Resource, 'arn:aws:kms:') || starts_with(Statement.Resource, 'arn:*:kms:')) && contains(Statement.Resource, ':key/*')))) || ((type(Statement.Resource) == 'array') && (contains(Statement.Resource, '*') || length(Statement.Resource[? (starts_with(@, 'arn:aws:kms:') || starts_with(@, 'arn:*:kms:')) && contains(@, ':key/*')]) > `0`))))"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return boolean type."
right:
BOOLEAN: true
otherwise:
status: "COMPLIANT"
currentStateMessage: "This IAM user inline policy does not allow KMS decryption actions on all KMS keys."