KMS master key is publicly accessible Affecting KMS service in AWS

Severity Framework Snyk CCSS

Rule category Keys and Secrets / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CSA-CCM ISO-27001 SOC-2

Snyk ID SNYK-CC-00309
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Publicly accessible KMS keys may allow anyone to perform decryption operations, which may reveal data.

How to fix?

Configure the aws_kms_key policy with appropriately scoped statements.

Example Configuration

resource "aws_kms_key" "example" {
  policy = <<EOF
  {
    Version": "2012-10-17",
    "Id": "key-default-1",

    Statement": [
        {
            "Sid" : "Enable IAM User Permissions",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::111122223333:root"
            },
            "Action" : "kms:",
            "Resource" : "*"
        },
        {
            "Sid" : "Allow Use of Key",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::111122223333:user/test-user"
            },
            "Action" : [
                "kms:DescribeKey",
                "kms:ListKeys"
            ],
            "Resource" : "*"
        }
    ]
  }
  EOF
  # other required fields here
}

cli

Editing KMS Policy

KMS master key is publicly accessible Affecting KMS service in AWS

Description

How to fix?

Example Configuration

cli

console

Terraform