Ensure KMS key policy does not contain wildcard (*) principal

ID

kms_key_policy_without_wildcard

Severity

low

Vendor

AWS

Resource

Secrets Manager

Tags

reachable

Description

A key policy is a resource policy for an AWS KMS key.

Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it. You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy.

When the principal in a key policy statement is the account principal, the policy statement doesn’t give any IAM users or roles permission to use the KMS key. Instead, it allows the account to use IAM policies to delegate the permissions specified in the policy statement. This default key policy statement allows the account to use IAM policies to delegate permission for all actions (kms:*) on the KMS key.

We recommend to use a restrictive set of principals instead of the wildcard.

Examples

CloudFormation

{
  "Resources": {
    "myKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Id": "key-default-1",
          "Statement": [
            {
              "Sid": "Enable IAM User Permissions",
              "Effect": "Allow",
              "Principal": { (1)
                "AWS": {
                  "*"
                }
              },
              "Action": "kms:*",
              "Resource": "*"
            }
          ]
        },
        "EnableKeyRotation": true
      }
    }
  }
}
1 `Principal`with wildcard value allows using all KMS keys. 
Resources:
  myKey:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal: (1)
            AWS: '*'
          Action: 'kms:*'
          Resource: '*'
      EnableKeyRotation: true
1 `Principal`with wildcard value allows using all KMS keys.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "myKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Id": "key-default-1",
          "Statement": [
            {
              "Sid": "Enable IAM User Permissions",
              "Effect": "Allow",
              "Principal": { (1)
                "AWS": {
                  "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
                }
              },
              "Action": "kms:*",
              "Resource": "*"
            }
          ]
        },
        "EnableKeyRotation": true
      }
    }
  }
}
1 Principal without wildcard value. 
Resources:
  myKey:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal: (1)
            AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
          Action: 'kms:*'
          Resource: '*'
      EnableKeyRotation: true
1 Principal without wildcard value.