bug(rule): rule KMS Key With Full Permissions is creating false alarms

[jpriebe]

I believe there is a bug in the KMS Key With Full Permissions rule.

A previous issue brought this up, but I don't think the right conclusion was reached.

KMS keys frequently have a policy that allows IAM to manage access to keys. This policy would generally look something like this:

{
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Sid" : "Enable IAM User Permissions",
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : "arn:aws:iam::ACCOUNTID:root"
        },
        "Action" : "kms:*",
        "Resource" : "*"
      }
   ]
}

This policy statement includes the action kms:*, which is triggering this rule. Despite the fact that it has the string kms:* in the policy, it is not actually granting any KMS permissions to any IAM identities (because the only principal listed is the account principal - the :root principal), and hence, does not represent a security vulernability.

From the documentation:

When the principal in a key policy statement is the account principal, the policy statement doesn't give any IAM principal permission to use the KMS key. Instead, it allows the account to use IAM policies to delegate the permissions specified in the policy statement. This default key policy statement allows the account to use IAM policies to delegate permission for all actions (kms:*) on the KMS key.

Crafting these kinds of policies to avoid a KICS error is not practical, as you have to enumerate all KMS actions in the policy.

Can this rule be modified so that it only triggers on kms:* if there are principals other than the account principal?

In addition, it seems that if the key is defined without a policy, KICS will trigger this error. In the case of a key with no policy, AWS creates a default policy that looks much like the one above. So a key with no policy is not a security risk, either.