🛡️ AWS KMS Key Policy allows public access🟢

Contextual name: 🛡️ Key Policy allows public access🟢
ID: /ce/ca/aws/kms/key-policy-public
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS KMS Key
- 🔌 AWS KMS Key - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [KMS.5] KMS keys should not be publicly accessible

Description

Description

This policy identifies AWS KMS Keys whose key policies permit anonymous or unrestricted access.

Specifically, it evaluates key policy statements that grant permissions to all principals (using *) without sufficient restrictive conditions to limit access to trusted and authorized AWS identities.

Rationale

A misconfigured KMS key policy that allows public access can expose sensitive data to unauthorized use. Attackers may be able to decrypt data stored in services such as Amazon S3, RDS, or EBS, or misuse the key to encrypt their own data, potentially associating the key with malicious activities.

Additionally, allowing unrestricted access to administrative actions (for example, kms:PutKeyPolicy) could enable an attacker to take full control of the key, modify its policy, and permanently lock out legitimate owners.

Audit

This policy flags an AWS KMS key as INCOMPLIANT if its related KMS Key Policy allows the following kms: actions:

kms:Encrypt

kms:Decrypt

kms:ReEncryptFrom

kms:ReEncryptTo

... see more

Remediation

Open File

Remediation

Update KMS Key Policy

From Command Line
Retrieve the existing key policy and save it locally:
aws kms get-key-policy \
    --key-id {{key-id}} \
    --policy-name default \
    --output text > policy.json
Review and update policy.json to remove any statements that grant permissions to all principals ("*").

Ensure that access is restricted to explicitly defined and trusted AWS principals and that only the minimum required permissions are granted.
Apply the updated key policy:
aws kms put-key-policy \
    --key-id {{key-id}} \
    --policy-name default \
    --policy file://policy.json

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [KMS.5] KMS keys should not be publicly accessible			1		no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			113		no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Update KMS Key Policy​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Update KMS Key Policy

From Command Line

policy.yaml

Linked Framework Sections