AWS-KMS-CMK-full-access-to-root-user-configured

Severity: High

Description: This control evaluates whether the AWS account's Root user is assigned full access to the CMK using Key policy. Unlike many AWS services, the AWS account's root user does not have access to CMK implicitly. Thus, it is recommended to allow access to AWS account's root user to reduce the risk of CMK becoming unmanageable in case the account with such privileges is either not accessible or deleted. Further, to enable IAM policies for the CMK, the Root user of the AWS account needs to have full access on the key.

Remediation Steps:

Perform following to assign root user of the account as owner of the key :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to KMS console.

3. Select the appropriate region from the top right corner.

4. In the navigation pane, choose Customer managed keys, and then choose the CMK that you want to modify.

5. Navigate to "Key policy" and click Switch to Policy View button. Click Edit.

6. Add/modify the policy statement such that only AWS account's Root user has privileges to perform any action (kms:*) on any resource (*).

7. Click Save changes.

Important:

Reference:

• https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam