KMS Key With Vulnerable Policy

  • Query id: 5b9d237a-57d5-4177-be0e-71434b0fef47
  • Query name: KMS Key With Vulnerable Policy
  • Platform: Ansible
  • Severity: High
  • Category: Insecure Configurations
  • URL: Github


Checks if the policy is vulnerable and needs updating.

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
- name: Update IAM policy on an existing KMS key
    alias: my-kms-key
    policy: {'Id': 'auto-ebs-2', 'Statement': [{'Action': ['kms:*'], 'Effect': 'Allow', 'Principal': {'AWS': '*'}, 'Resource': '*', 'Sid': 'Allow access through EBS for all principals in the account that are authorized to use EBS'}, {'Action': ['kms:Describe*', 'kms:Get*', 'kms:List*', 'kms:RevokeGrant'], 'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::111111111111:root'}, 'Resource': '*', 'Sid': 'Allow direct access to key metadata to the account'}], 'Version': '2012-10-17'}
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Update IAM policy on an existing KMS key
    alias: my-kms-key
    policy: |
      { Id: auto-ebs-2, Statement: [{Action: [kms:Encrypt, kms:Decrypt, kms:ReEncrypt*,
        kms:GenerateDataKey*, kms:CreateGrant, kms:DescribeKey], Condition: {
        StringEquals: {kms:CallerAccount: '111111111111', kms:ViaService:}},
        Effect: Allow, Principal: {AWS: '*'}, Resource: '*',
        Sid: Allow access through EBS for all principals in the account that are authorized to use EBS },
      { Action: [kms:Describe*, kms:Get*, kms:List*, kms:RevokeGrant], Effect: Allow,
        Principal: {AWS: arn:aws:iam::111111111111:root}, Resource: '*',
        Sid: Allow direct access to key metadata to the account}], Version: '2012-10-17' }
    state: present