KMS Key With Full Permissions

  • Query id: da905474-7454-43c0-b8d2-5756ab951aba
  • Query name: KMS Key With Full Permissions
  • Platform: CloudFormation
  • Severity: High
  • Category: Insecure Configurations
  • URL: Github

Description

The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "Resources": {
    "RSASigningKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "RSA-3047 asymmetric CMK for signing and verification",
        "KeySpec": "RSA_3072",
        "KeyUsage": "SIGN_VERIFY",
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Id": "key-default-1",
          "Statement": [
            {
              "Sid": "Enable IAM User Permissions",
              "Effect": "Allow",
              "Principal": {
                "AWS": "*"
              },
              "Action": "kms:*",
              "Resource": "*"
            }
          ]
        }
      }
    }
  }
}
Positive test num. 2 - yaml file
Resources:
  RSASigningKey:
    Type: AWS::KMS::Key
    Properties:
      Description: RSA-3047 asymmetric CMK for signing and verification
      KeySpec: RSA_3072
      KeyUsage: SIGN_VERIFY
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal:
            AWS: '*'
          Action: kms:*
          Resource: '*'

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "Resources": {
    "RSASigningKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "RSA-3047 asymmetric CMK for signing and verification",
        "KeySpec": "RSA_3072",
        "KeyUsage": "SIGN_VERIFY",
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Id": "key-default-1",
          "Statement": [
            {
              "Sid": "Allow administration of the key",
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/Admin"
              },
              "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
              ],
              "Resource": "*"
            }
          ]
        }
      }
    }
  }
}
Negative test num. 2 - yaml file
Resources:
  RSASigningKey:
    Type: AWS::KMS::Key
    Properties:
      Description: RSA-3047 asymmetric CMK for signing and verification
      KeySpec: RSA_3072
      KeyUsage: SIGN_VERIFY
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Allow use of the key
          Effect: Allow
          Principal:
            AWS: arn:aws:iam::111122223333:role/Developer
          Action:
          - kms:Sign
          - kms:Verify
          - kms:DescribeKey
          Resource: '*'