Data protection

IAM customer managed policies allow decryption on all KMS keys

Platform(s)
Compliance Frameworks
  • AWS Foundational Security Best Practices Controls
  • ,
  • Brazilian General Data Protection (LGPD)
  • ,
  • CCPA
  • ,
  • CPRA
  • ,
  • Data Security Posture Management (DSPM) Best Practices
  • ,
  • essential_8_au
  • ,
  • GDPR
  • ,
  • HITRUST
  • ,
  • iso_27001_2022
  • ,
  • iso_27002_2022
  • ,
  • Mitre ATT&CK
  • ,
  • mpa
  • ,
  • New Zealand Information Security Manual
  • ,
  • NIST 800-171
  • ,
  • NIST 800-53
  • ,
  • PDPA
  • ,
  • pipeda
  • ,
  • UK Cyber Essentials

Description

An IAM Managed Policy is an object in AWS that, when associated with an identity or resource, defines its permissions. In other words, which actions an identity can perform on which resources. AWS Key Management Service (KMS) is a managed service that gives the ability to easily create, store and manage the cryptographic keys used to protect your data. It was found that the policy '{AwsIamManagedPolicy}' allows decryption actions on all KMS keys. Granting decryption permissions over all the KMS keys gives high privileges to the associated principal, allowing it to use KMS decryption actions on all existing and future resources.