Remediation
Update KMS Key Policyβ
From Command Lineβ
-
Retrieve the existing key policy and save it locally:
aws kms get-key-policy \
--key-id {{key-id}} \
--policy-name default \
--output text > policy.json -
Review and update
policy.jsonto remove any statements that grant permissions to all principals ("*").Ensure that access is restricted to explicitly defined and trusted AWS principals and that only the minimum required permissions are granted.
-
Apply the updated key policy:
aws kms put-key-policy \
--key-id {{key-id}} \
--policy-name default \
--policy file://policy.json