Cloud KMS key does not grant access to allUsers or allAuthenticatedUsers
kms_key_not_publicly_accessible
KMS keys are assessed for excessive access in key policies or grants, including * principals and broadly scoped permissions to multiple identities.
Risk
Broad access to a KMS key enables unauthorized kms:Decrypt and data-key generation, breaking confidentiality. With admin rights, attackers can change policies or schedule deletion, undermining control integrity and threatening availability of data dependent on the key.
prowler aws --checks kms_key_not_publicly_accessible
Recommendation
Apply least privilege to KMS keys:
- Restrict principals to specific roles and accounts
- Prefer narrow, time-bound grants
- Separate key administration from usage
- Use conditions to limit context
- Review regularly and remove wildcard or cross-account exposure
Remediation
aws kms put-key-policy --key-id <example_resource_id> --policy-name default --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::<account_id>:root"},"Action":"kms:*","Resource":"*"}]}'
- Open AWS Console > Key Management Service (KMS)
- Select the affected key and go to the Key policy tab
- Click Edit and remove any statement with Principal set to "*" (or AWS: "*")
- Ensure a statement exists that allows only arn:aws:iam::<account_id>:root
- Save changes
Source Code
Resource Type
AwsKmsKey
References
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudKMS/publicly-accessible-kms-cryptokeys.html
- https://support.icompaas.com/support/solutions/articles/62000232904-1-9-ensure-cloud-kms-cryptokeys-are-not-accessible-to-anonymous-or-public-users-automated-
- https://docs.aws.amazon.com/kms/latest/developerguide/determining-access.html