Data protection

IAM customer managed policies allow decryption on all KMS keys

Risk Level

Informational (4)



An IAM Managed Policy is an object in AWS that, when associated with an identity or resource, defines its permissions. In other words, which actions an identity can perform on which resources. AWS Key Management Service (KMS) is a managed service that gives the ability to easily create, store and manage the cryptographic keys used to protect your data. It was found that the policy '{AwsIamManagedPolicy}' allows decryption actions on all KMS keys. Granting decryption permissions over all the KMS keys gives high privileges to the associated principal, allowing it to use KMS decryption actions on all existing and future resources.
  • Recommended Mitigation

    It is recommended to allow only least privilege, i.e., to limit permissions to the bare minimum to complete the task. Allow only 'kms:Decrypt' or 'kms:ReEncryptFrom' and only for the specific set of keys required for users to access encrypted data. To edit the IAM policies, follow the instructions at: