Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure Managed IAM Policies: Blocked Actions on KMS Keys

This rule ensures managed IAM policies do not allow blocked actions on KMS keys.

RuleEnsure managed IAM policies should not allow blocked actions on KMS keys
FrameworkFedRAMP Low Revision 4
Severity
Medium

Rule Description

This rule ensures that managed IAM policies do not allow blocked actions on Key Management Service (KMS) keys, specifically for FedRAMP Low Revision 4 compliance.

Troubleshooting Steps

If an IAM policy allows blocked actions on KMS keys for FedRAMP Low Revision 4, you can follow these troubleshooting steps to rectify the issue:

  2. 1.
    Identify the IAM policy that allows the blocked actions on KMS keys.
  4. 2.
    Review the permissions granted by the policy.
  6. 3.
    Determine which actions are blocked based on the FedRAMP Low Revision 4 requirements.
  8. 4.
    Modify the IAM policy to remove the blocked actions.
  10. 5.
    Test the modified policy to ensure it now complies with the rule.
  12. 6.
    Monitor and evaluate IAM policy changes regularly to maintain compliance.

Necessary Code

If the IAM policy needs to be modified, you can use the AWS Command Line Interface (CLI) to update the policy. Here is an example code snippet:

aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document file://policy.json

In the code above, replace 

<role-name>
with the name of the IAM role that has the policy attached, 
<policy-name>
with the desired name for the policy, and 
policy.json
with the file containing the modified policy document.

Step-by-Step Guide for Remediation

To remediate an IAM policy that allows blocked actions on KMS keys for FedRAMP Low Revision 4 compliance, follow these step-by-step instructions:

  2. 1.

    Identify the IAM policy:

    • Log in to the AWS Management Console.
    • Go to the IAM service.
    • Navigate to the "Policies" section.
    • Search for the policy that needs to be updated.
  4. 2.

    Review the permissions granted by the policy:

    • Open the identified policy for review.
    • Analyze the list of actions and resources specified in the policy document.
  6. 3.

    Determine which actions are blocked:

    • Refer to the specific requirements outlined in the FedRAMP Low Revision 4 guidelines.
    • Identify the actions that are considered blocked for compliance.
  8. 4.

    Modify the IAM policy:

    • Using the AWS CLI or AWS Management Console, open the identified IAM policy for editing.
    • Locate the blocked actions in the policy document.
    • Remove the blocked actions from the policy document.
    • Save the changes to the policy.
  10. 5.

    Test the modified policy:

    • Create a test user or assign an existing user to the IAM role associated with the policy.
    • Validate that the user can no longer perform the blocked actions on KMS keys.
    • Perform additional testing to ensure that the necessary permissions are still intact.
  12. 6.

    Monitor and evaluate IAM policy changes:

    • Regularly review and assess IAM policies to ensure ongoing compliance.
    • Establish a process to track and manage any modifications made to the policies.
    • Continuously monitor and evaluate the effectiveness of policy changes.

By following these steps, you can ensure that managed IAM policies do not allow blocked actions on KMS keys for FedRAMP Low Revision 4 compliance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now