A Policy is not Defined for KMS Key
Description
This policy is designed to detect situations where the KMS key policy is undefined within your AWS environment. KMS keys are essential for data encryption and it's crucial to monitor and manage the policies that define their use to ensure data security is maintained.
Code Example
hcl
resource "aws_kms_key" "example" {
description = "KMS key for example"
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "DefaultAllow",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}Remediation
Terraform
- Resource: aws_kms_key
- Arguments: policy
The policy argument should be specified to define the KMS key policy.
Secure code example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0498 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, |
| Checkov ID | CKV2_AWS_64 |