KMS Key With Full Permissions

Query id: da905474-7454-43c0-b8d2-5756ab951aba
Query name: KMS Key With Full Permissions
Platform: CloudFormation
Severity: High
Category: Insecure Configurations
URL: Github

Description¶

The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege.
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Postitive test num. 1 - json file

Postitive test num. 2 - yaml file

{ "Resources": { "RSASigningKey": { class="w">      "Type": "AWS::KMS::Key", class="hll">      "Properties": { "Description": "RSA-3047 asymmetric CMK for signing and verification", "KeySpec": "RSA_3072", class="w">        "KeyUsage": "SIGN_VERIFY", class="hll">        "KeyPolicy": { "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "kms:*", "Resource": "*" } ] } } } } } Resources: RSASigningKey: Type: AWS::KMS::Key class="w">    Properties: class="hll">      Description: RSA-3047 asymmetric CMK for signing and verification KeySpec: RSA_3072 KeyUsage: SIGN_VERIFY class="w">      KeyPolicy: class="hll">        Version: '2012-10-17' Id: key-default-1 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: '*' Action: kms:* Resource: '*'
Code samples without security vulnerabilities¶
Negative test num. 1 - json file{
  "Resources": {
    "RSASigningKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "RSA-3047 asymmetric CMK for signing and verification",
        "KeySpec": "RSA_3072",
        "KeyUsage": "SIGN_VERIFY",
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Id": "key-default-1",
          "Statement": [
            {
              "Sid": "Allow administration of the key",
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/Admin"
              },
              "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
              ],
              "Resource": "*"
            }
          ]
        }
      }
    }
  }
}

Negative test num. 2 - yaml fileResources:
  RSASigningKey:
    Type: AWS::KMS::Key
    Properties:
      Description: RSA-3047 asymmetric CMK for signing and verification
      KeySpec: RSA_3072
      KeyUsage: SIGN_VERIFY
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Allow use of the key
          Effect: Allow
          Principal:
            AWS: arn:aws:iam::111122223333:role/Developer
          Action:
          - kms:Sign
          - kms:Verify
          - kms:DescribeKey
          Resource: '*'