KMS master keys should not be publicly accessible¶
Description¶
KMS keys are used for encrypting and decrypting data which may be sensitive. Publicly accessible KMS keys may allow anyone to perform decryption operations which may reveal data.
Remediation Steps¶
AWS Console¶
Navigate to KMS.
Select the desired KMS master key to modify.
In Key policy, click Switch to Policy View > Edit.
In the Principal statement, replace
"AWS": "*"
with a more restricted principal, such as a list of users or roles:
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/MyUserName"
]
},
Click Save Changes.
AWS CLI¶
To update the KMS master key, apply a key policy. You’ll need to provide a JSON document with the policy; see below for an example
key_policy.json
.
aws kms put-key-policy \
--policy-name default \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--policy file://key_policy.json
key_policy.json
is a JSON document containing the key policy. The first statement in the key policy below gives the AWS account permission to use IAM policies to control access to the CMK. The second statement gives the test-user
user permission to run the describe-key
and list-keys
commands on the CMK. Contents of key_policy.json
:
{
"Version" : "2012-10-17",
"Id" : "key-default-1",
"Statement" : [
{
"Sid" : "Enable IAM User Permissions",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : "kms:",
"Resource" : "*"
},
{
"Sid" : "Allow Use of Key",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:user/test-user"
},
"Action" : [
"kms:DescribeKey",
"kms:ListKeys"
],
"Resource" : "*"
}
]
}
Terraform¶
Ensure that the aws_kms_key has a
policy
with appropriately scoped statements.
Example Configuration¶
resource "aws_kms_key" "example" {
policy = <<EOF
{
Version": "2012-10-17",
"Id": "key-default-1",
Statement": [
{
"Sid" : "Enable IAM User Permissions",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : "kms:",
"Resource" : "*"
},
{
"Sid" : "Allow Use of Key",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:user/test-user"
},
"Action" : [
"kms:DescribeKey",
"kms:ListKeys"
],
"Resource" : "*"
}
]
}
EOF
# other required fields here
}