Back to All Checks
Medium KMS

IAM customer managed policies should not allow decryption actions on all KMS keys

NISTISO 27001HIPAA

Description

Checks whether IAM customer managed policies allow decryption actions on all KMS keys, which could lead to unauthorized decryption of sensitive data.

Remediation

To ensure IAM policies do not allow decryption actions on all KMS keys, modify the policies to restrict 'kms:Decrypt' to specific resources or remove it from the policy.

Steps

  1. Log in to the AWS Management Console.
  2. Navigate to the IAM service.
  3. In the navigation pane, click on 'Policies'.
  4. Search for and select the customer managed policy to modify.
  5. Click on the policy to open its details page.
  6. On the policy details page, click on 'Edit policy'.
  7. Modify the policy statements to restrict 'kms:Decrypt' to specific resources, or remove the action if it's not needed.
  8. Review the policy changes, then click 'Review policy' and 'Save changes'.

Compliance

NISTISO 27001HIPAA
Start Your Free Security Check