- Newest
- Most votes
- Most comments
Hello jfdurocher and rswift,
Thank you for reaching out to us and providing feedback. I'm happy to provide you with an understanding of why you saw the finding and why it was resolved.
The findings generated by IAM Access Analyzer for KMS keys are comprehensive and provide visibility into access allowed not just KMS key policies but also by a policy-equivalent configuration feature provided by KMS called KMS grants: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html. You might not see the accounts in question in your KMS key policy because the permissions are allowed by grants, which are not currently visible in the console. Similar to the case with https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html, there are certain AWS-owned accounts associated to specific AWS services that require permissions to take actions on behalf of customers. We have confirmed that the accounts that appeared in your findings are AWS-owned accounts belonging to AWS services and the access shared by the finding is intended for the functioning of the AWS service.
We have updated the analysis to ensure new findings from AWS-owned accounts are not flagged as Active findings and existing findings are automatically resolved. Hope this helps!
Thank you,
Ujjwal
I too have the exact same behavior from Access Analyser but with a different "Principal" unknown account that has nothing to do with me. Basically @rswift situation is a copy and paste of mine even with the AWS Managed key showing up as CMK.
Fingers crossed this is a teething issue with the new service? I've trawled CloudTrail for every region and cannot find any reference to the policy creation from the time shown in the KMS console, it's a definite weirdy!?
I wonder if we've stumbled upon https://en.wikipedia.org/wiki/Five_Eyes accounts? 藍️♂️
@rswift, not sure what happened there but it seems the issue is now marked as Resolved although I haven't changed a setting, I did ran all the logging possible but nothing in my settings might have been something on Amazon side but I wish I could have some explanation.
Hoping it will be resolved for you too.
jfdurocher wrote:
@rswift, not sure what happened there but it seems the issue is now marked as Resolved although I haven't changed a setting, I did ran all the logging possible but nothing in my settings might have been something on Amazon side but I wish I could have some explanation.Hoping it will be resolved for you too.
How peculiar? The finding is magically resolved for me too! I couldn't agree more, this seems to have lifted the AWS kimono just a little and we've seen underneath, their transparency isn't great given the key still exists but no longer links to a CMK, question is, was this a KMS issue that the Analyser uncovered, or an Analyser issue? If it is the former, then that feels more of an issue. But especially strange that we had different principals...
I 'm sure we'll never get an answer... 路♂️
Thank you @ujjwal-aws for this explanation/update it is much appreciated.
Closing this forum thread as answered. Happy to provide answers to follow-up questions.
Relevant content
- asked 2 years ago
- Accepted Answerasked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 16 days ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a month ago