KMS Key With Full Permissions
- Query id: da905474-7454-43c0-b8d2-5756ab951aba
- Query name: KMS Key With Full Permissions
- Platform: CloudFormation
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"Resources": {
"RSASigningKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "RSA-3047 asymmetric CMK for signing and verification",
"KeySpec": "RSA_3072",
"KeyUsage": "SIGN_VERIFY",
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
}
}
}
Positive test num. 2 - yaml file
Resources:
RSASigningKey:
Type: AWS::KMS::Key
Properties:
Description: RSA-3047 asymmetric CMK for signing and verification
KeySpec: RSA_3072
KeyUsage: SIGN_VERIFY
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: '*'
Action: kms:*
Resource: '*'
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"Resources": {
"RSASigningKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "RSA-3047 asymmetric CMK for signing and verification",
"KeySpec": "RSA_3072",
"KeyUsage": "SIGN_VERIFY",
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/Admin"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}
]
}
}
}
}
}
Negative test num. 2 - yaml file
Resources:
RSASigningKey:
Type: AWS::KMS::Key
Properties:
Description: RSA-3047 asymmetric CMK for signing and verification
KeySpec: RSA_3072
KeyUsage: SIGN_VERIFY
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: arn:aws:iam::111122223333:role/Developer
Action:
- kms:Sign
- kms:Verify
- kms:DescribeKey
Resource: '*'