Ensure Managed IAM Policies Should Not Allow Blocked Actions on KMS Keys Rule
This rule ensures that managed IAM policies do not permit blocked actions on KMS keys.
| Rule | Ensure managed IAM policies should not allow blocked actions on KMS keys |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description:
This rule ensures that managed IAM policies do not allow blocked actions on Key Management Service (KMS) keys in compliance with NIST 800-171 Revision 2. KMS keys are used to encrypt and decrypt data in AWS services, and it is important to restrict access to these keys to prevent unauthorized access or compromise of sensitive information.
Troubleshooting Steps:
- 1.Identify the IAM policy associated with the KMS key.
- 2.Review the policy statement(s) to check for any blocked actions.
- 3.Ensure that any denied actions in the policy are intended and aligned with the security requirements.
- 4.Update the policy if necessary to remove any blocked actions.
Necessary Code:
No specific code is required for this rule. However, you can use the AWS CLI or AWS Management Console to review and modify IAM policies if needed.
Remediation Steps:
The following steps outline how to remediate an IAM policy that allows blocked actions on KMS keys:
- 1.Identify the KMS key that is associated with the IAM policy.
- 2.Access the AWS Management Console or use the AWS CLI with appropriate permissions to make changes.
- 3.Go to the IAM dashboard in the AWS Management Console or execute the following command in the AWS CLI to navigate to the IAM section:
aws iam get-group --group-name <group-name>
- 1.Locate the appropriate IAM group or user that has permissions to use the KMS key.
- 2.Review the attached managed policies and custom inline policies for the IAM group/user.
- 3.Identify the specific policy that allows blocked actions on KMS keys.
- 4.Modify the policy to remove the blocked actions by either editing the policy directly or creating a new policy with the desired permissions.
- 5.Validate the changes by simulating the policy using the AWS Policy Simulator or testing the updated permissions in a non-production environment.
- 6.Once validated, deploy the updated policy to the appropriate IAM group/user.
Note:
It is crucial to exercise caution while modifying IAM policies to ensure that necessary permissions are granted while disallowing any blocked actions as defined by NIST 800-171 Revision 2. Regularly review and monitor IAM policies to maintain compliance with security requirements and promptly address any violations.