π§ AWS KMS Key Policy allows public access - prod.logic.yamlπ’
- Contextual name: π§ prod.logic.yamlπ’
- ID:
/ce/ca/aws/kms/key-policy-public/prod.logic.yaml - Tags:
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Usesβ
- π AWS KMS Key
- π AWS KMS Key - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2026-01-12T19:24:41.076231082Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ extract('CA10__state__c') != 'Enabled' | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ CA10__AWS_KMS_Key_Policies__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test4 | βοΈ 399 | βοΈ CA10__AWS_KMS_Key_Policies__r.has(COMPLIANT) | βοΈ null |
| π’ | test5 | βοΈ 400 | βοΈ otherwise | βοΈ null |
Generation Bundleβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/kms/key-policy-public/policy.yaml | E83682D4EBB726ED47F4536BE55E8853 |
| Open | /ce/ca/aws/kms/key-policy-public/prod.logic.yaml | E38FB14FCEC3B4B0B021B4BE5B70B7D8 |
| Open | /ce/ca/aws/kms/key-policy-public/test-data.json | 933041B79B062F852616E063E3DFA08F |
| Open | /types/CA10__CaAwsKmsKey__c/object.extracts.yaml | EC6D0EFD0BFEAB3447A84529724D4AFE |
Available Commandsβ
repo-manager policies generate FULL /ce/ca/aws/kms/key-policy-public/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/kms/key-policy-public/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/kms/key-policy-public/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/kms/key-policy-public/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/kms/key-policy-public/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsKmsKey__c"
testData:
- file: "test-data.json"
importExtracts:
- file: "/types/CA10__CaAwsKmsKey__c/object.extracts.yaml"
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "The key is not enabled."
check:
NOT_EQUAL:
left:
EXTRACT: CA10__state__c
right:
TEXT: "Enabled"
- status: "INCOMPLIANT"
currentStateMessage: "The KMS Key Policy allows anonymous access."
remediationMessage: "Modify the key policy to remove statements where the Principal is '*'."
check:
RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10__AWS_KMS_Key_Policies__r"
- status: "COMPLIANT"
currentStateMessage: "The KMS Key policy does not allow anonymous access."
check:
RELATED_LIST_HAS:
status: "COMPLIANT"
relationshipName: "CA10__AWS_KMS_Key_Policies__r"
otherwise:
status: "UNDETERMINED"
currentStateMessage: "The Key Policy is not present in the CMDB."
relatedLists:
- relationshipName: "CA10__AWS_KMS_Key_Policies__r"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "The KMS Key Policy allows anonymous access."
remediationMessage: "Modify the key policy to remove statements where the Principal is '*'."
check:
AWS_POLICY_ALLOWS:
widestAcceptableAccessLevel: "EXTERNAL_PRINCIPAL"
policyExtField: "CA10__policyDocumentExt__c"
actions:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncryptFrom"
- "kms:ReEncryptTo"
- "kms:GenerateDataKey"
- "kms:CreateGrant"
- "kms:DescribeKey"
- "kms:EnableKey"
- "kms:PutKeyPolicy"
- "kms:GetKeyPolicy"
- "kms:ScheduleKeyDeletion"
- "kms:CancelKeyDeletion"
- "kms:RotateKeyOnDemand"
otherwise:
status: "COMPLIANT"
currentStateMessage: "The KMS Key policy does not allow anonymous or public access."