KMS Key With Full Permissions
- Query id: 7ebc9038-0bde-479a-acc4-6ed7b6758899
- Query name: KMS Key With Full Permissions
- Platform: Terraform
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_kms_key" "positive1" {
description = "KMS key 1"
deletion_window_in_days = 10
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AddCannedAcl",
"Effect":"Allow",
"Principal": {"AWS":"*"},
"Action":["kms:*"],
"Resource":"*"
}
]
}
POLICY
}
Positive test num. 2 - tf file
resource "aws_kms_key" "positive1" {
description = "KMS key 1"
deletion_window_in_days = 10
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AddCannedAcl",
"Effect":"Allow",
"Principal": "*",
"Action":["kms:*"],
"Resource":"*"
}
]
}
POLICY
}
Positive test num. 3 - tf file
resource "aws_kms_key" "positive3" {
description = "KMS key 1"
deletion_window_in_days = 10
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_kms_key" "negative1" {
description = "KMS key 1"
deletion_window_in_days = 10
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AddCannedAcl",
"Effect":"Deny",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/CMKUser"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource":"*"
}
]
}
POLICY
}