AWS KMS Key policy overly permissive
Description
This policy identifies KMS Keys that have a key policy overly permissive. Key policies are the primary way to control access to customer master keys (CMKs) in AWS KMS. It is recommended to follow the principle of least privilege ensuring that KMS key policy does not have all the permissions to be able to complete a malicious action.
For more details: https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#overview-policy-elements
Code Example
go
resource "aws_kms_key" "example" {
description = "example key"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "Allow access for Key Administrators"
Effect = "Allow"
Principal = {
- AWS = "*"
+ AWS = "arn:aws:iam::123456789012:role/admin"
}
Action = "kms:*"
Resource = "*"
}
]
})
}Remediation
Terraform
To fix this issue, ensure that the KMS key policy does not use wildcard (`*`) principals. Instead, specify specific AWS accounts or roles.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0087 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_33 |