Profile Applicability:

  • Level 2

Description:

IAM (Identity and Access Management) is a service in AWS that helps you securely manage access to AWS services and resources. KMS (Key Management Service) is a managed service that allows you to create and control encryption keys for your data. Policies in IAM define which resources users, groups, or roles can access and which actions they can perform. Policies that allow full kms:* privileges grant unrestricted access to all KMS actions, which can lead to potential security risks if misused.

Rationale:

Granting kms:* (full KMS privileges) in an IAM policy provides unrestricted access to create, modify, and delete encryption keys. This is highly sensitive and could lead to unauthorized access to encrypted data or the ability to tamper with key management configurations. Restricting the kms:* permissions aligns with security best practices and the principle of least privilege, ensuring that users only have the permissions they need to perform their job functions.

Impact:

If an IAM policy grants kms:* privileges:

  • It can expose sensitive encryption keys to unauthorized access.

  • Users may gain the ability to decrypt or alter encrypted data.

  • It can result in data integrity issues, unauthorized key management actions, or non-compliance with regulatory standards.

  • It violates the principle of least privilege, increasing the risk of security breaches.

Default Value:

By default, IAM policies do not include kms:* permissions unless explicitly configured. It is important to regularly review and ensure that policies do not grant excessive permissions to sensitive services like KMS.

Pre-requisites:

  • Access to AWS Management Console or AWS CLI with sufficient IAM permissions.

  • Familiarity with IAM policies, KMS permissions, and security best practices.

  • Knowledge of the principle of least privilege and the importance of secure key management.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Policies AWS IAM console.

  3. Review each policy and check for kms:* permissions.

  4. Open any policy that might include kms:* permissions and verify its scope and necessity.

  5. If a policy includes kms:*, ensure it is justified, or modify it to restrict access to only the required KMS actions.

  6. Document the changes made for auditing purposes.

Using AWS CLI:

  1. List all IAM policies using the following command:

    aws iam list-policies --scope Local

  2. For each policy, retrieve its details using:

    aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>

  3. Review the policy document to check for kms:* permissions.

  4. If such permissions are found, evaluate if they are necessary and modify the policy.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Policies in AWS IAM console.

  1. Review each customer-managed policy for kms:* permissions.

  1. If any policy includes kms:*, evaluate whether the policy should be adjusted.

  1. Go to ‘Entities attached’ tab and Detach any overly permissive policies from users, roles, or groups. If not required.

Using AWS CLI:

  1. List all IAM policies using aws iam list-policies.

  2. For each policy, retrieve its details with aws iam get-policy-version.

  3. Examine the policy for kms:* permissions.

  4. If such permissions are found, detach the policy from the relevant users, groups, or roles:

    aws iam detach-user-policy --user-name <USER_NAME> --policy-arn <POLICY_ARN>
aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn <POLICY_ARN>
aws iam detach-group-policy --group-name <GROUP_NAME> --policy-arn <POLICY_ARN>

  1. Modify the policy to restrict permissions and reattach if necessary.

Backout Plan:

Using AWS Console:

  1. If removing or restricting the kms:* policy causes issues, sign in to the AWS Management Console.

  2. Navigate to IAM Policies and reattach the previous policy (if necessary).

  3. Ensure that the reattached policy still follows the principle of least privilege and does not provide full access to kms:*.

Using AWS CLI:

  1. If you need to reattach a policy that was removed, run the following:

    aws iam attach-user-policy --user-name <USER_NAME> --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

  2. Verify that the reverted policy is attached:

    aws iam list-attached-user-policies --user-name <USER_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure that IAM policies do not grant full kms:* privileges to prevent over-permissioning and unauthorized access to KMS resources.

7.1

8.1

Follow the least privilege principle by limiting permissions on KMS keys and avoiding overly permissive kms:* actions.