- Newest
- Most votes
- Most comments
You're having a problem with AWS IAM policies for KMS keys. The rule KMS.1 says you shouldn't allow decryption on all keys, and you tried to limit it to keys in a specific region. However, you're still getting issues from Security Hub.
To fix this, you need to be more specific in your policy. You can use tags on your keys or specify key name prefixes. Be careful not to make your policy too permissive. It's essential to balance security and convenience.
Few things to take in consideration:
Use Resource Tags: Consider tagging your KMS keys with specific attributes, (e. g. "Environment," "Application," or "Project") Then, you can use resource-based policies that refer to these tags to grant kms:Decrypt permissions. This way, you can grant permissions to groups of keys based on their tags.
Prefix Matching: If your keys are named with prefixes like "prod-key-" or "dev-key-", you can specify those prefixes in your policy to allow decryption only for keys with matching prefixes.
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
These are all very good ideas that I have considered. However, KMS.1 only considers the resources list. Conditional statements are not factored in.