Data at risk

AWS KMS master key cross-account access

Risk Level

Hazardous (3)



It was found that external account has permissions on the following KeyId: {AwsKmsKey}. Permission have been given to the following accounts: {AwsKmsKey.CrossAccountFindings}. Ensure Amazon KMS master keys do not allow unknown cross account access.
  • Recommended Mitigation

    It is recommended to restrict the access for a CMK to specific account and users inside the same account as the key. By allowing access for different account, the master-key is exposed to enumeration and attack attempts from theses accounts.