Data at risk

KMS CMK is exposed

Risk Level

Hazardous (3)



It was found that {AwsKmsKey} is exposed. A master key is considered exposed when one of the statements in the key policy contain 'AWS: *'. Ensure Amazon KMS master keys are not exposed to everyone.
  • Recommended Mitigation

    It is recommended to restrict KMS master keys access according to the least privileges principal. By being public, the master key is exposed to enumeration and stealing attempts.