top of page
KMS.2
IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys
Severity
Cloud Platforms
Resources
Related Standards
Automated
MEDIUM
AWS
AWS Key Management Service
AWS Foundational Best Practice, CDR, ISO27001, SOC2, NIST.800-53.r5,
Checks whether the inline policies embedded in your IAM principals (Role/User/Group) allow the AWS Key Management Service (KMS) decryption actions on all KMS keys. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys in an inline policy.
bottom of page