KMS Key With Vulnerable Policy
- Query id: da905474-7454-43c0-b8d2-5756ab951aba
- Query name: KMS Key With Vulnerable Policy
- Platform: CloudFormation
- Severity: High
- Category: Insecure Configurations
- CWE: 326
- URL: Github
Description¶
Checks if the policy is vulnerable and needs updating.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"Resources": {
"RSASigningKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "RSA-3047 asymmetric CMK for signing and verification",
"KeySpec": "RSA_3072",
"KeyUsage": "SIGN_VERIFY",
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
}
}
}
Positive test num. 2 - yaml file
Resources:
RSASigningKey:
Type: AWS::KMS::Key
Properties:
Description: RSA-3047 asymmetric CMK for signing and verification
KeySpec: RSA_3072
KeyUsage: SIGN_VERIFY
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: '*'
Action: kms:*
Resource: '*'
Positive test num. 3 - json file
{
"Resources": {
"RSASigningKey2": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "RSA-3047 asymmetric CMK for signing and verification",
"KeySpec": "RSA_3072",
"KeyUsage": "SIGN_VERIFY"
}
}
}
}
Positive test num. 4 - yaml file
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"Resources": {
"RSASigningKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "RSA-3047 asymmetric CMK for signing and verification",
"KeySpec": "RSA_3072",
"KeyUsage": "SIGN_VERIFY",
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/Admin"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}
]
}
}
}
}
}
Negative test num. 2 - yaml file
Resources:
RSASigningKey:
Type: AWS::KMS::Key
Properties:
Description: RSA-3047 asymmetric CMK for signing and verification
KeySpec: RSA_3072
KeyUsage: SIGN_VERIFY
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: arn:aws:iam::111122223333:role/Developer
Action:
- kms:Sign
- kms:Verify
- kms:DescribeKey
Resource: '*'