RCP must limit KMS key access to the Organization for regulated accounts

iam
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

A Resource Control Policy (RCP) must be applied to all regulated AWS accounts to limit KMS key access to the AWS Organization. Without an RCP restricting KMS operations by organization boundary, principals outside the organization could potentially encrypt, decrypt, or generate data keys using KMS keys in member accounts. An RCP that denies KMS data-plane and grant operations if aws:PrincipalOrgID does not match the organization ID establishes a mandatory data perimeter for regulated workloads.

This rule also flags RCPs that use NotAction to exempt KMS actions from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

Note: This is a mandatory control for regulated accounts. AWS service principals should be exempted using aws:PrincipalIsAWSService conditions. Trusted external accounts can be exempted using aws:PrincipalAccount conditions where required.

Remediation

Create a Resource Control Policy that explicitly denies KMS operations using Action (not NotAction) from principals outside the organization and attach it to the OUs containing regulated accounts. Remove any NotAction-based deny statements that exempt KMS actions. The RCP should deny kms:* or specific KMS data-plane actions with an aws:PrincipalOrgID condition. Refer to the RCP syntax documentation and the data perimeter policy examples for guidance.