💼 [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys

• ID: /frameworks/aws-fsbp-v1.0.0/kms/02

Description

With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data.

Similar

• AWS Security Hub
  • https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html#kms-2
• Internal
  • ID: dec-c-0ecbf812

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management	13	20	57		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	32		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	65		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			36		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			27		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			22		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	78		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(3) Least Privilege _ Network Access to Privileged Commands			6		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (3)

Policy	Logic Count	Flags	Compliance
🛡️ AWS IAM Group Inline Policy allows KMS decryption actions on all KMS keys🟢	1	🟢 x6	no data
🛡️ AWS IAM Role Inline Policy allows KMS decryption actions on all KMS keys🟢	1	🟢 x6	no data
🛡️ AWS IAM User Inline Policy allows KMS decryption actions on all KMS keys🟢	1	🟢 x6	no data