Data at risk

AWS KMS master key cross-account access

Risk Level

Hazardous (3)

Compliance Frameworks


It was found that external account has permissions on the following KeyId: {AwsKmsKey}. Permission have been given to the following accounts: {AwsKmsKey.CrossAccountFindings}. Ensure Amazon KMS master keys do not allow unknown cross account access.
  • Recommended Mitigation

    It is recommended to restrict the access for a CMK to specific account and users inside the same account as the key. By allowing access for different account, the master-key is exposed to enumeration and attack attempts from theses accounts. ## Remediation --- >1. Sign in to the AWS Management Console and open the **[KMS console](**. >2. In the navigation pane, choose **Customer managed keys**. >3. Select the desired key from the table by clicking on its name (**Alias** column). >4. In **Key policy** tab: >>a. verify that the external account is displayed under **Other AWS accounts**. >>b. choose **Switch to policy view**. >5. Choose **Edit**. >6. Find the policy statements containing the external account's ARN under its **Principal.AWS** attribute and delete the external accounts ARN. >7. Choose **Save changes**.