Back to All Checks
Critical KMS Regional

KMS keys should not be publicly accessible

FSBP

Description

This control checks whether an AWS Key Management Service (KMS) key is publicly accessible. The control fails if the KMS key is found to be publicly accessible. Implementing least privilege access is crucial for reducing security risks and mitigating the impact of errors or malicious intent. If a KMS key's policy allows access from external accounts, unauthorized third parties could potentially encrypt and decrypt data using that key. This vulnerability could lead to internal or external threats exfiltrating data from AWS services that rely on the key.

Remediation

To remediate publicly accessible KMS keys, you need to update the key policy to remove public access and implement least privilege access.

Steps

  1. Navigate to the AWS KMS console
  2. Select the KMS key that is publicly accessible
  3. Go to the 'Key policy' tab
  4. Edit the key policy to remove public access
  5. Remove any statements with Principal '*' or 'arn:aws:iam::*:root'
  6. Replace with specific IAM users, roles, or accounts
  7. Implement least privilege access principles
  8. Save the updated key policy
  9. Verify the key is no longer publicly accessible
  10. Test access to ensure legitimate users can still use the key

Compliance

FSBP
Start Your Free Security Check