KMS Key With Full Permissions

  • Query id: 5b9d237a-57d5-4177-be0e-71434b0fef47
  • Query name: KMS Key With Full Permissions
  • Platform: Ansible
  • Severity: High
  • Category: Insecure Configurations
  • URL: Github

Description

The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
---
- name: Update IAM policy on an existing KMS key
  community.aws.aws_kms:
    alias: my-kms-key
    policy: {'Id': 'auto-ebs-2', 'Statement': [{'Action': ['kms:*'], 'Effect': 'Allow', 'Principal': {'AWS': '*'}, 'Resource': '*', 'Sid': 'Allow access through EBS for all principals in the account that are authorized to use EBS'}, {'Action': ['kms:Describe*', 'kms:Get*', 'kms:List*', 'kms:RevokeGrant'], 'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::111111111111:root'}, 'Resource': '*', 'Sid': 'Allow direct access to key metadata to the account'}], 'Version': '2012-10-17'}
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Update IAM policy on an existing KMS key
  community.aws.aws_kms:
    alias: my-kms-key
    policy: |
      { Id: auto-ebs-2, Statement: [{Action: [kms:Encrypt, kms:Decrypt, kms:ReEncrypt*,
        kms:GenerateDataKey*, kms:CreateGrant, kms:DescribeKey], Condition: {
        StringEquals: {kms:CallerAccount: '111111111111', kms:ViaService: ec2.ap-southeast-2.amazonaws.com}},
        Effect: Allow, Principal: {AWS: '*'}, Resource: '*',
        Sid: Allow access through EBS for all principals in the account that are authorized to use EBS },
      { Action: [kms:Describe*, kms:Get*, kms:List*, kms:RevokeGrant], Effect: Allow,
        Principal: {AWS: arn:aws:iam::111111111111:root}, Resource: '*',
        Sid: Allow direct access to key metadata to the account}], Version: '2012-10-17' }
    state: present