Ensure IAM policies that allow full "kms:*" privileges are not created
iam_policy_no_full_access_to_kms
Ensure IAM policies that allow full "kms:*" privileges are not created
Risk
KMS is a critical service and IAM policies should follow least privilege model for this service in particular
Run this check with Prowler CLI
prowler aws --checks iam_policy_no_full_access_to_kms
ARN template
arn:partition:service:region:account-id:resource-id
Remediation
It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.
Source Code
Resource Type
AwsIamPolicy