Custom IAM policy does not allow 'kms:*' privileges
iam_policy_no_full_access_to_kms
Customer-managed IAM policies are examined for statements that grant AWS KMS full access using kms:*. The focus is on policies allowing service-wide actions rather than narrowly scoped, key-specific permissions.
Risk
Allowing kms:* lets principals decrypt data, change key policies, and disable or delete keys. Impact: Confidentiality-unauthorized decryption; Integrity-manipulation of cryptographic controls; Availability-data unreadable if keys are disabled/deleted. It can also enable privilege escalation.
prowler aws --checks iam_policy_no_full_access_to_kms
Recommendation
Adopt least privilege and separation of duties:
- Replace
kms:*with only needed actions scoped to specific key ARNs - Apply policy conditions (e.g.,
kms:ViaService) and guardrails (permissions boundaries/SCPs) - Monitor KMS usage and refine access based on activity
Remediation
aws iam create-policy-version --policy-arn <POLICY_ARN> --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["kms:Encrypt"],"Resource":"arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<KEY_ID>"}]}' --set-as-default
- In the AWS Console, open IAM > Policies
- Find the custom policy that allows kms:* and choose Edit policy > JSON
- Replace any "Action": "kms:" (or ["kms:"]) with only required actions (e.g., ["kms:Encrypt"]) and, if possible, set "Resource" to a specific key ARN
- Save changes (a new default policy version is created)
- Re-run the check to confirm it passes
Source Code
Resource Type
AwsIamPolicy