/
AWS-KMS-CMK-administrator-are-key-users

AWS-KMS-CMK-administrator-are-key-users

Owned by naveen
Last updated: Dec 02, 2021
1 min read

Severity: High

Description: This control ensures that the CMK administrators are not the user of the key. The CMK administrators have privileges to manage the CMK including modifications to Key Policy, delete key, update aliases and manage key material. An administrator with key use permissions such as encryption and decryption using the key can be used maliciously. It is recommended to follow the Principle of Separation of Duties and restrict administrators from having user privileges for the CMKs.

Remediation Steps:

Perform following to remove key administrator form user list :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to KMS console.

  3. Select the appropriate region from the top right corner.

  4. In the navigation pane, choose Customer managed keys, and then choose the CMK that you want to modify.

  5. Navigate to "Key policy" and click Switch to Policy View button. Click Edit.

  6. Add/modify the policy such that no principal with administrative privileges on the CMK is allowed user permissions on the CMK.

  7. Click Save changes.

Important:

Reference:

Related content

AWS-KMS-Keys-Exposed
AWS-KMS-Keys-Exposed
Blue Hexagon Documentation
More like this
AWS-KMS-KMS-Key-Rotation
AWS-KMS-KMS-Key-Rotation
Blue Hexagon Documentation
More like this
AWS-KMS-KMS-Default-Key-Usage
AWS-KMS-KMS-Default-Key-Usage
Blue Hexagon Documentation
More like this
AWS-IAM-Access-Keys-Rotated
AWS-IAM-Access-Keys-Rotated
Blue Hexagon Documentation
More like this
AWS-DynamoDB-DynamoDB-KMS-Encryption
AWS-DynamoDB-DynamoDB-KMS-Encryption
Blue Hexagon Documentation
More like this
AWS-EC2-Secrets-in-User-Data
AWS-EC2-Secrets-in-User-Data
Blue Hexagon Documentation
More like this

Blue Hexagon Proprietary