It is recommended to restrict the access for a CMK to specific account and users inside the same account as the key. By allowing access for different account, the master-key is exposed to enumeration and attack attempts from theses accounts. ## Remediation --- >1. Sign in to the AWS Management Console and open the **[KMS console](https://console.aws.amazon.com/kms/)**. >2. In the navigation pane, choose **Customer managed keys**. >3. Select the desired key from the table by clicking on its name (**Alias** column). >4. In **Key policy** tab: >>a. verify that the external account is displayed under **Other AWS accounts**. >>b. choose **Switch to policy view**. >5. Choose **Edit**. >6. Find the policy statements containing the external account's ARN under its **Principal.AWS** attribute and delete the external accounts ARN. >7. Choose **Save changes**.