KMS Key With Vulnerable Policy
- Query id: 5b9d237a-57d5-4177-be0e-71434b0fef47
- Query name: KMS Key With Vulnerable Policy
- Platform: Ansible
- Severity: High
- Category: Insecure Configurations
- CWE: 807
- URL: Github
Description¶
Checks if the policy is vulnerable and needs updating.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: Update IAM policy on an existing KMS key
community.aws.aws_kms:
alias: my-kms-key
policy: {'Id': 'auto-ebs-2', 'Statement': [{'Action': ['kms:*'], 'Effect': 'Allow', 'Principal': {'AWS': '*'}, 'Resource': '*', 'Sid': 'Allow access through EBS for all principals in the account that are authorized to use EBS'}, {'Action': ['kms:Describe*', 'kms:Get*', 'kms:List*', 'kms:RevokeGrant'], 'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::111111111111:root'}, 'Resource': '*', 'Sid': 'Allow direct access to key metadata to the account'}], 'Version': '2012-10-17'}
state: present
Positive test num. 2 - yaml file
---
- name: Update IAM policy on an existing KMS key2
community.aws.aws_kms:
alias: my-kms-key
state: present
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Update IAM policy on an existing KMS key
community.aws.aws_kms:
alias: my-kms-key
policy: |
{ Id: auto-ebs-2, Statement: [{Action: [kms:Encrypt, kms:Decrypt, kms:ReEncrypt*,
kms:GenerateDataKey*, kms:CreateGrant, kms:DescribeKey], Condition: {
StringEquals: {kms:CallerAccount: '111111111111', kms:ViaService: ec2.ap-southeast-2.amazonaws.com}},
Effect: Allow, Principal: {AWS: '*'}, Resource: '*',
Sid: Allow access through EBS for all principals in the account that are authorized to use EBS },
{ Action: [kms:Describe*, kms:Get*, kms:List*, kms:RevokeGrant], Effect: Allow,
Principal: {AWS: arn:aws:iam::111111111111:root}, Resource: '*',
Sid: Allow direct access to key metadata to the account}], Version: '2012-10-17' }
state: present