💼 [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
- ID:
/frameworks/aws-fsbp-v1.0.0/kms/01
Description
With AWS KMS, you control who can use your KMS keys and gain access to your
encrypted data. IAM policies define which actions an identity (user, group,
or role) can perform on which resources. Following security best practices,
AWS recommends that you allow least privilege. In other words, you should
grant to identities only the kms:Decrypt or kms:ReEncryptFrom permissions and
only for the keys that are required to perform a task. Otherwise, the user
might use keys that are not appropriate for your data.
Similar
- AWS Security Hub
- Internal
- ID:
dec-c-63399d40
- ID:
Similar Sections (Give Policies To)
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management | 13 | 20 | 57 | no data | |
| 💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management | 4 | 32 | no data | ||
| 💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement | 15 | 5 | 65 | no data | |
| 💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control | 36 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control | 27 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties | 22 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege | 10 | 23 | 78 | no data | |
| 💼 NIST SP 800-53 Revision 5 → 💼 AC-6(3) Least Privilege _ Network Access to Privileged Commands | 6 | no data |
Sub Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|
Policies (1)
| Policy | Logic Count | Flags | Compliance |
|---|---|---|---|
| 🛡️ AWS IAM Customer Managed Policy allows KMS decryption actions on all KMS keys🟢 | 1 | 🟢 x6 | no data |