top of page

KMS.1

IAM customer managed policies should not allow decryption actions on all KMS keys

Severity

Cloud Platforms

Resources

Related Standards

Automated

MEDIUM

AWS

AWS Key Management Service

AWS Foundational Best Practice, CDR, ISO27001, SOC2, NIST.800-53.r5,

Checks whether the default version of IAM customer managed policies allow principals to use the AWS Key Management Service (KMS) decryption actions on all resources. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.

6pl org white ai logo.png

(C) Copyright 2023 6PILLARS CLOUD AUTOMATION PTY LTD

bottom of page