You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This policy statement includes the action kms:*, which is triggering this rule. Despite the fact that it has the string kms:* in the policy, it is not actually granting any KMS permissions to any IAM identities (because the only principal listed is the account principal - the :root principal), and hence, does not represent a security vulernability.
When the principal in a key policy statement is the account principal, the policy statement doesn't give any IAM principal permission to use the KMS key. Instead, it allows the account to use IAM policies to delegate the permissions specified in the policy statement. This default key policy statement allows the account to use IAM policies to delegate permission for all actions (kms:*) on the KMS key.
Crafting these kinds of policies to avoid a KICS error is not practical, as you have to enumerate all KMS actions in the policy.
Can this rule be modified so that it only triggers on kms:* if there are principals other than the account principal?
In addition, it seems that if the key is defined without a policy, KICS will trigger this error. In the case of a key with no policy, AWS creates a default policy that looks much like the one above. So a key with no policy is not a security risk, either.
The text was updated successfully, but these errors were encountered:
I believe there is a bug in the KMS Key With Full Permissions rule.
A previous issue brought this up, but I don't think the right conclusion was reached.
KMS keys frequently have a policy that allows IAM to manage access to keys. This policy would generally look something like this:
This policy statement includes the action
kms:*
, which is triggering this rule. Despite the fact that it has the stringkms:*
in the policy, it is not actually granting any KMS permissions to any IAM identities (because the only principal listed is the account principal - the:root
principal), and hence, does not represent a security vulernability.From the documentation:
Crafting these kinds of policies to avoid a KICS error is not practical, as you have to enumerate all KMS actions in the policy.
Can this rule be modified so that it only triggers on
kms:*
if there are principals other than the account principal?In addition, it seems that if the key is defined without a policy, KICS will trigger this error. In the case of a key with no policy, AWS creates a default policy that looks much like the one above. So a key with no policy is not a security risk, either.
The text was updated successfully, but these errors were encountered: