Profile Applicability:

  • Level 2

Description:
AWS Key Management Service (KMS) enables you to create and control the encryption keys used to encrypt your data. The kms:* action grants full access to all KMS resources, including key management, encryption, decryption, and key policy modifications. Allowing full "kms:*" privileges in IAM inline policies can pose a security risk, as it grants unrestricted access to KMS keys and sensitive data.

It is essential to ensure that IAM inline policies do not include full kms:* actions unless absolutely necessary. Granting overly permissive permissions to KMS keys can result in unauthorized access to encrypted data or accidental deletion of keys, leading to data loss or security vulnerabilities. Instead, inline policies should be restrictive and only grant the specific KMS actions needed for the user or role to perform their job functions.

Rationale:
 Granting full kms:* privileges without any restrictions is a security risk that could lead to unauthorized access, loss, or exposure of sensitive data. By ensuring that IAM inline policies do not include kms:*, you enforce a more secure and controlled access model, limiting access to KMS resources based on least privilege. This helps protect your sensitive encrypted data, ensuring only authorized users can manage or use KMS keys.

Impact:
 Pros:

  • Enhanced security by preventing unrestricted access to KMS resources.

  • Reduces the risk of unauthorized decryption or accidental key deletion.

  • Enforces the principle of least privilege, ensuring users only have the necessary permissions to work with KMS resources.

  • Helps comply with regulatory requirements for data encryption and key management.

Cons:

  • Requires careful policy review to ensure IAM roles and users still have sufficient permissions to perform necessary tasks.

  • May require modification of IAM policies for users or roles that previously had broad access to KMS resources.

Default Value:
 By default, IAM policies do not grant kms:* actions unless explicitly defined. However, it's possible that IAM inline policies may have been created that allow full access to KMS resources.

Pre-requisites:

  • AWS IAM permissions to manage IAM policies, KMS keys, and permissions:
     iam:ListPolicies
     iam:ListInlinePolicies
     iam:DeleteInlinePolicy
     iam:AttachUserPolicy
     kms:ListAliases
     kms:DescribeKey

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console using an IAM user or role with sufficient administrative privileges (NOT the root account).

  2. Navigate to IAM and select Users, Groups, or Roles.

  3. For each IAM identity (user, group, or role), review the inline policies attached to them:

    • Navigate to the Inline Policies section and look for any policy that grants kms:* permissions.

  4. If an inline policy contains the kms:* action, either delete it or modify it to restrict the actions to only those that are necessary for the specific user or role.

  5. Review the list of IAM identities and ensure that no inline policies grant full kms:* privileges.

Using AWS CLI:

  1. List all IAM users:

    aws iam list-users

  2. For each user, list the inline policies:

    aws iam list-inline-policies --user-name <USER_NAME>

  3. For each inline policy, check for kms:* actions:

    aws iam get-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>

  4. If the policy allows full kms:* access, either remove the policy or modify it to restrict access:

    aws iam delete-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>

  5. To verify that inline policies are properly modified or deleted, run:

    aws iam list-inline-policies --user-name <USER_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the IAM Console and navigate to Users, Groups, or Roles.

  2. Select each IAM identity and review the inline policies.

  3. If an inline policy contains kms:*, click Detach or Delete the policy.

  4. Modify the policy to ensure that only specific KMS actions are allowed, such as:

    • kms:Encrypt, kms:Decrypt for encryption tasks.

    • kms:DescribeKey, kms:ListAliases for key management.

  5. Save the changes and verify that IAM users or roles have restrictive access to KMS resources.

Using AWS CLI:

  1. To delete an inline policy with full kms:* access, run the following command:

    aws iam delete-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>

  2. If necessary, attach a more restrictive policy to the user:

    aws iam put-user-policy --user-name <USER_NAME> --policy-name <NEW_POLICY_NAME> --policy-document <NEW_POLICY_DOCUMENT_JSON>

  3. Verify that no full kms:* policies are attached:

    aws iam list-inline-policies --user-name <USER_NAME>

Backout Plan:

Using AWS Console:

  1. If removing or modifying the inline policies causes issues, sign in to the AWS Management Console.

  2. Navigate to the affected user, group, or role, and re-attach or modify the inline policy as necessary.

  3. Ensure that the new policy does not provide full kms:* privileges.

Using AWS CLI:

  1. If the policy needs to be reattached, run:

    aws iam put-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME> --policy-document <POLICY_DOCUMENT_JSON>

  2. Verify the modified policy to ensure it is restrictive:

    aws iam get-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure IAM inline policies do not grant full kms:* privileges to prevent overly broad access to encryption keys and resources.

7.1

8.1

Restrict IAM inline policies for KMS to necessary actions, ensuring that policies are based on the least privilege principle.