KMS key policy should not allow everyone to use it
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
KMS keys are assigned a resource-based policy that controls who can use and manage the key.
Rationale
When the key policy is misconfigured, it can allow any unauthenticated user with knowledge of the key ID to use it for encryption, decryption, signing and verification purposes.
From the console
Go to the list of customer-managed KMS keys at https://console.aws.amazon.com/kms/home#/kms/keys.
Click the vulnerable KMS key name.
In the Key Policy tab, remove the statement making the key publicly accessible.
From the command line
- Retrieve the current key policy:
aws kms get-key-policy \
--key-id <KEY_ARN> \
--policy-name default \
--query Policy --output text > key_policy.json
- Remove the statement making the key publicly accessible, then update the key policy:
aws kms put-key-policy \
--key-id <KEY_ARN> \
--policy-name default \
--policy file://./key_policy.json
References
- [https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html]
- [https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html#access-analyzer-kms-key]