KMS Key With Vulnerable Policy

  • Query id: da905474-7454-43c0-b8d2-5756ab951aba
  • Query name: KMS Key With Vulnerable Policy
  • Platform: CloudFormation
  • Severity: High
  • Category: Insecure Configurations
  • CWE: 326
  • URL: Github

Description

Checks if the policy is vulnerable and needs updating.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "Resources": {
    "RSASigningKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "RSA-3047 asymmetric CMK for signing and verification",
        "KeySpec": "RSA_3072",
        "KeyUsage": "SIGN_VERIFY",
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Id": "key-default-1",
          "Statement": [
            {
              "Sid": "Enable IAM User Permissions",
              "Effect": "Allow",
              "Principal": {
                "AWS": "*"
              },
              "Action": "kms:*",
              "Resource": "*"
            }
          ]
        }
      }
    }
  }
}
Positive test num. 2 - yaml file
Resources:
  RSASigningKey:
    Type: AWS::KMS::Key
    Properties:
      Description: RSA-3047 asymmetric CMK for signing and verification
      KeySpec: RSA_3072
      KeyUsage: SIGN_VERIFY
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal:
            AWS: '*'
          Action: kms:*
          Resource: '*'
Positive test num. 3 - json file
{
  "Resources": {
    "RSASigningKey2": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "RSA-3047 asymmetric CMK for signing and verification",
        "KeySpec": "RSA_3072",
        "KeyUsage": "SIGN_VERIFY"
      }
    }
  }
}

Positive test num. 4 - yaml file 
Resources:
  RSASigningKey2:
    Type: AWS::KMS::Key
    Properties:
      Description: RSA-3047 asymmetric CMK for signing and verification
      KeySpec: RSA_3072
      KeyUsage: SIGN_VERIFY

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "Resources": {
    "RSASigningKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "RSA-3047 asymmetric CMK for signing and verification",
        "KeySpec": "RSA_3072",
        "KeyUsage": "SIGN_VERIFY",
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Id": "key-default-1",
          "Statement": [
            {
              "Sid": "Allow administration of the key",
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/Admin"
              },
              "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
              ],
              "Resource": "*"
            }
          ]
        }
      }
    }
  }
}
Negative test num. 2 - yaml file
Resources:
  RSASigningKey:
    Type: AWS::KMS::Key
    Properties:
      Description: RSA-3047 asymmetric CMK for signing and verification
      KeySpec: RSA_3072
      KeyUsage: SIGN_VERIFY
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Allow use of the key
          Effect: Allow
          Principal:
            AWS: arn:aws:iam::111122223333:role/Developer
          Action:
          - kms:Sign
          - kms:Verify
          - kms:DescribeKey
          Resource: '*'