Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Keys and Secrets/ Access
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CSA-CCMISO-27001SOC-2
- Snyk IDSNYK-CC-00309
- creditSnyk Research Team
Description
Publicly accessible KMS keys may allow anyone to perform decryption operations, which may reveal data.
How to fix?
Configure the aws_kms_key policy with appropriately scoped statements.
Example configuration:
resource "aws_kms_key" "example" {
policy = <<EOF
{
Version": "2012-10-17",
"Id": "key-default-1",
Statement": [
{
"Sid" : "Enable IAM User Permissions",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : "kms:",
"Resource" : "*"
},
{
"Sid" : "Allow Use of Key",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:user/test-user"
},
"Action" : [
"kms:DescribeKey",
"kms:ListKeys"
],
"Resource" : "*"
}
]
}
EOF
# other required fields here
}
Set Principal element in the KeyPolicy attribute to specific entities, for example arn:aws:iam::123456789012:user/JohnDoe.
Example configuration:
Type: AWS::KMS::Key
Properties:
KeyPolicy: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/JohnDoe"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
# other required properties