KMS master keys should not be publicly accessible

Description

KMS keys are used for encrypting and decrypting data which may be sensitive. Publicly accessible KMS keys may allow anyone to perform decryption operations which may reveal data.

Remediation Steps

AWS Console

  • Navigate to KMS.

  • Select the desired KMS master key to modify.

  • In Key policy, click Switch to Policy View > Edit.

  • In the Principal statement, replace "AWS": "*" with a more restricted principal, such as a list of users or roles:

"Principal": {
  "AWS": [
        "arn:aws:iam::111122223333:user/MyUserName"
      ]
},
  • Click Save Changes.

AWS CLI

  • To update the KMS master key, apply a key policy. You’ll need to provide a JSON document with the policy; see below for an example key_policy.json.

aws kms put-key-policy \
    --policy-name default \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --policy file://key_policy.json

key_policy.json is a JSON document containing the key policy. The first statement in the key policy below gives the AWS account permission to use IAM policies to control access to the CMK. The second statement gives the test-user user permission to run the describe-key and list-keys commands on the CMK. Contents of key_policy.json:

{
    "Version" : "2012-10-17",
    "Id" : "key-default-1",
    "Statement" : [
        {
            "Sid" : "Enable IAM User Permissions",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::111122223333:root"
            },
            "Action" : "kms:",
            "Resource" : "*"
        },
        {
            "Sid" : "Allow Use of Key",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::111122223333:user/test-user"
            },
            "Action" : [
                "kms:DescribeKey",
                "kms:ListKeys"
            ],
            "Resource" : "*"
        }
    ]
}

Terraform

  • Ensure that the aws_kms_key has a policy with appropriately scoped statements.

Example Configuration

resource "aws_kms_key" "example" {
  policy = <<EOF
  {
    Version": "2012-10-17",
    "Id": "key-default-1",

    Statement": [
        {
            "Sid" : "Enable IAM User Permissions",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::111122223333:root"
            },
            "Action" : "kms:",
            "Resource" : "*"
        },
        {
            "Sid" : "Allow Use of Key",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::111122223333:user/test-user"
            },
            "Action" : [
                "kms:DescribeKey",
                "kms:ListKeys"
            ],
            "Resource" : "*"
        }
    ]
  }
  EOF
  # other required fields here
}