IAM Customer Managed Policies Rule
This rule focuses on restricting decryption actions on all KMS keys within IAM customer managed policies.
| Rule | IAM customer managed policies should not allow decryption actions on all KMS keys |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
IAM Customer Managed Policies - AWS Foundational Security Best Practices
Rule Description:
IAM customer managed policies should not allow decryption actions on all KMS keys for AWS Foundational Security Best Practices. This rule helps protect sensitive data by ensuring that permissions to decrypt all KMS keys are not granted to IAM users or roles.
Reasoning:
Allowing unrestricted decryption actions on all KMS keys can pose a significant security risk. It can potentially enable unauthorized access to sensitive information and compromise the confidentiality of data stored in AWS services that utilize KMS for encryption.
Remediation:
The following steps outline how to remediate this issue by updating the IAM customer managed policies to restrict decryption actions on specific KMS keys:
- 1.
Identify the affected IAM policies:
- Review all existing customer managed policies in IAM to identify those that have decryption actions (
) allowed on all KMS keys.kms:Decrypt
- 2.
Update the affected policies:
- Overwrite the existing policies and remove the permissions that allow decryption actions on all KMS keys.
- Make sure to review the individual decryption permissions required for specific KMS keys and include only the necessary permissions.
- 3.
Restrict decryption actions to specific KMS keys:
- Modify the policies to allow decryption actions on the required KMS keys only.
- Update the policies with the appropriate KMS key ARNs (Amazon Resource Names) and restrict decryption permissions to the specific keys needed for the intended use case.
- 4.
Verify and test the updated policies:
- Validate that the changes made to the IAM policies have successfully restricted decryption actions to specific KMS keys.
- Test the policies by attempting to decrypt data using keys that should no longer have decryption permissions.
- Ensure that the relevant IAM users or roles have limited access and are able to perform decryption only on the necessary KMS keys.
Troubleshooting:
If users are unable to decrypt data even with the correct permissions, consider the following troubleshooting steps:
- 1.
Verify the policy changes:
- Double-check the updated IAM policies to ensure that the correct KMS key ARNs are included.
- Confirm that decryption permissions (
) are allowed only on the specific KMS keys required.kms:Decrypt
- 2.
Check IAM user or role permissions:
- Ensure that the IAM users or roles being used to decrypt the data are associated with the updated policies.
- Confirm that these users or roles have the necessary permissions for decryption on the specified KMS keys.
- 3.
Review key policies for conflicts:
- Examine the key policies for the affected KMS keys to ensure that they are consistent with the desired decryption permissions.
- Confirm that the IAM users or roles have the necessary key policy permissions for decryption on the specified KMS keys.
- 4.
Verify KMS key configuration:
- Check the KMS key configuration to ensure that it is correctly set up and functional.
- Ensure the key is not disabled or in a state that prevents decryption actions.
Additional Resources:
Note: It is recommended to follow AWS security best practices and perform regular audits to ensure that IAM policies are aligned with the principle of least privilege, limiting access to sensitive resources such as KMS keys.