AWS-KMS-Keys-Exposed

Severity : Critical

Description: This control ensures that the AWS KMS keys are not allowed anonymous access to use the keys. Allowing anonymous access to your AWS KMS keys is considered bad practice and can lead to sensitive data leakage. The KMS keys should have condition clause if the user grants permission to everyone to use the KMS Key. It is recommended to follow the Principle of least-privilege and restrict access to KMS key.

Remediation Steps:

Perform following to remove key administrator form user list :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to KMS console.

  3. In navigation pane choose Customer managed keys.

  4. In the list of KMS keys, choose the alias or key ID of the KMS key.

  5. Choose the Key policy. Click Edit. If key policy created in created the KMS key in the AWS management console, Navigate to "Key policy" and click Switch to Policy View button. Click Edit.

  6. Modify policy such that Principal is updated with IAM ARNs to apply restricted access or add conditions statement to key access policy.

  7. Click Save changes.

Important:

  • When Key policy have wildcard(*) in the Principal statement without condition statement, it allows every identity in every AWS account permission to use the KMS key

Reference:

Blue Hexagon Proprietary