Back to All Checks
High KMS

IAM customer managed policies should not allow decryption actions on all KMS keys

CISPCI DSSNISTISO 27001HIPAA

Description

This check ensures that IAM customer managed policies do not allow decryption actions on all KMS keys, which can lead to unauthorized access to encrypted data.

Remediation

To remediate policies that allow decryption actions on all KMS keys, you need to update the policy to restrict the kms:Decrypt action to specific resources or remove it entirely.

Steps

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Policies and then select the customer managed policy to modify.
  3. Click the policy version and then click Edit policy.
  4. Modify the policy to remove the kms:Decrypt action or restrict it to specific resources.
  5. Review the changes, then click Review policy and Save changes.

Compliance

CISPCI DSSNISTISO 27001HIPAA
Start Your Free Security Check