KMS Key has a vulnerable policy
ID |
aws_kms_key_with_vuln_policy |
Severity |
high |
Vendor |
AWS |
Resource |
IAM |
Tags |
reachable |
Description
KMS Key has a vulnerable policy. All users can encrypt and decrypt. Each application should use its own key to avoid over exposure.
To fix it, you must avoid configure all Principals in the policy with *.
Learn more about this topic at AWS Key policy.
Examples
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Describe the policy statement",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:DescribeKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KeySpec": "SYMMETRIC_DEFAULT"
}
}
}
]
}Mitigation / Fix
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Describe the policy statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/Alice"
},
"Action": "kms:DescribeKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KeySpec": "SYMMETRIC_DEFAULT"
}
}
}
]
}