Data protection

IAM inline policies allow decryption on all KMS keys

Risk Level

Informational (4)



An inline policy is a policy in AWS that is embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. When associated with an IAM identity, the inline policy defines its permissions. In other words, which actions an identity can perform on which resources. AWS Key Management Service (KMS) is a managed service that gives the ability to easily create, store and manage the cryptographic keys used to protect your data. It was found that the role allows decryption actions on all KMS keys. Granting decryption permissions over all the KMS keys gives high privileges to the associated principal, allowing it to use KMS decryption actions on all existing and future resources.