Severity: High
Description: This control ensures that the CMK administrators are not the user of the key. The CMK administrators have privileges to manage the CMK including modifications to Key Policy, delete key, update aliases and manage key material. An administrator with key use permissions such as encryption and decryption using the key can be used maliciously. It is recommended to follow the Principle of Separation of Duties and restrict administrators from having user privileges for the CMKs.
Remediation Steps:
Perform following to assign root user of the account as owner of the key :
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to KMS console.
Select the appropriate region from the top right corner.
In the navigation pane, choose Customer managed keys, and then choose the CMK that you want to modify.
Navigate to "Key policy" and click Switch to Policy View button. Click Edit.
Add/modify the policy such that no principal with administrative privileges on the CMK is allowed user permissions on the CMK.
Click Save changes.
Important:
Reference: