Profile Applicability:
Level 1
Description:
This control ensures that AWS Key Management Service (KMS) keys—particularly customer-managed CMKs—are not exposed through overly permissive IAM or key policies. Exposed KMS keys (for example, those allowing public access, cross-account access without restrictions, or "Principal": "*") can be misused to decrypt, re-encrypt, or manage sensitive data. Regular review of KMS key policies and grants helps maintain strict access control and prevents potential data compromise.
Rationale:
KMS keys are central to encryption and decryption operations in AWS. Improperly configured key policies or grants can expose sensitive encryption keys to unauthorized users, applications, or AWS accounts. Ensuring that KMS keys are not publicly accessible or shared without justification is essential for maintaining data confidentiality, integrity, and compliance with frameworks such as CIS, SOC 2, ISO 27001, HIPAA, and PCI DSS.
Impact:
Positive Impact:
Prevents unauthorized use of encryption keys and protects sensitive data.
Ensures compliance with data protection standards and key management best practices.
Reduces the risk of privilege escalation through key misuse.
Negative Impact:Overly restrictive key access could disrupt legitimate services relying on shared encryption keys.
Default Value:
By default, AWS KMS key policies grant access only to the key administrator and account owner. However, key policies can be modified, and insecure configurations must be manually identified and corrected.
Pre-Requisite:
IAM permissions required:
kms:ListKeys,kms:GetKeyPolicy, andkms:ListGrants.Awareness of which AWS accounts, roles, or services legitimately require access to the KMS CMKs.
Test Plan
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS Key Management Service (KMS) → Customer managed keys.
Select each key and go to the Key policy tab.
Review the JSON key policy for overly permissive statements, including:
"Principal": "*"(public access)."Action": "kms:*"(full administrative privileges).Cross-account access without restrictions or conditions.
Review the Grants tab to identify any external accounts or roles with broad permissions.
If any of these are found, the key is exposed and must be remediated.
Implementation Plan
Using AWS Console:
Navigate to AWS Key Management Service → Customer managed keys.
Select the key that has an exposed or overly permissive policy.
In the Key policy tab, click Edit.
Remove any statements containing
"Principal": "*"or broad"Action": "kms:*".Restrict access to specific IAM users, roles, or AWS services that require the key.
Add conditions (such as
"aws:SourceAccount"or"aws:SourceArn") to limit cross-account access.Save the changes and verify that legitimate workloads continue functioning properly.
Backout Plan:
If a service or application stops working after key policy tightening:
Revert to the previous key policy from backup or AWS Config history.
Identify required principals and re-add them explicitly.
Implement the least privilege principle—grant only the minimal actions required (
kms:Encrypt,kms:Decrypt, etc.) for specific roles.
References: