Rule: KMS Key Decryption Restricted in IAM Customer Managed Policy
This rule ensures proper restriction of KMS key decryption in IAM customer managed policy.
| Rule | KMS key decryption should be restricted in IAM customer managed policy |
| Framework | HIPAA |
| Severity | ✔ Medium |
KMS Key Decryption Restriction in IAM Customer Managed Policy for HIPAA
Description
In order to maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA), it is important to restrict the decryption of AWS Key Management Service (KMS) keys. By implementing proper access controls in the IAM (Identity and Access Management) customer managed policy, you can ensure that only authorized entities have the necessary permissions to decrypt KMS keys containing sensitive data.
Troubleshooting Steps
If users or roles are unable to decrypt KMS keys when they should have the necessary permissions, follow these troubleshooting steps:
- 1.Verify the user/role permissions: Check if the affected user or role has the required
permission in their IAM policy. Ensure that the policy is correctly attached and uses the correct KMS key resource.kms:Decrypt - 2.Examine KMS key policy: Review the policy associated with the KMS key in question. Ensure that the affected user or role is listed in the
section of the policy with the necessary decryption permissions.Principal - 3.Check key attributes: Confirm that the affected KMS key has the necessary attributes configured, such as rotation status and key usage permissions.
- 4.Logging and monitoring: Utilize AWS CloudTrail and CloudWatch Logs to monitor and debug any potential issues with KMS key decryption. Check for relevant API events and error messages in the logs.
Necessary Codes
If you need to update an IAM customer managed policy to restrict KMS key decryption for HIPAA compliance, refer to the code snippets below:
Example 1: Restricting KMS key decryption for a specific role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictKMSDecryption",
"Effect": "Deny",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id",
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/allowed-role-1",
"arn:aws:iam::123456789012:role/allowed-role-2"
]
}
}
}
]
}
In this example, the IAM policy denies the
kms:Decryptarn:aws:kms:us-east-1:123456789012:key/your-kms-key-idallowed-role-1allowed-role-2Example 2: Restricting KMS key decryption for a specific user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictKMSDecryption",
"Effect": "Deny",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id",
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:user/allowed-user"
}
}
}
]
}
In this example, the IAM policy denies the
kms:Decryptarn:aws:kms:us-east-1:123456789012:key/your-kms-key-idallowed-userRemediation Steps
To remediate the issue and implement the KMS key decryption restriction policy for HIPAA compliance, follow these step-by-step guides:
- 1.Identify the KMS key: Determine the KMS key(s) that need to have decryption restrictions in place.
- 2.Update or create an IAM policy: Modify an existing IAM customer managed policy or create a new one that includes the necessary Deny statement for the
action.kms:Decrypt - 3.Define the allowed roles or users: Update the policy's
condition with the ARN(s) of the allowed IAM roles or users.StringNotLike - 4.Attach the policy: Attach the updated or new IAM policy to the appropriate IAM roles or users that require KMS key decryption access.
- 5.Test the policy: Verify that the restricted decryption restriction policy works as intended by attempting to decrypt the KMS key using an unauthorized role or user. The action should be denied.
By following these steps, you can restrict KMS key decryption according to HIPAA compliance guidelines, ensuring that only authorized entities can access sensitive data.