- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
This control examines whether the default versions of IAM customer-managed policies permit principals to use AWS KMS decryption actions on all KMS resources. The control will fail if the policy allows any of the following actions on all KMS keys:
kms:*
kms:Decrypt
kms:ReEncryptFrom
The control specifically checks the Resource element of the policy and does not consider any conditions specified in the Condition element. It evaluates IAM policies meeting any of the following criteria:
It does not evaluate IAM policies meeting any of the following criteria:
To enhance security, instead of granting permissions for all KMS keys, identify the specific keys that principals need to access encrypted data. Design policies to restrict user permissions to only those keys. For example, instead of allowing kms:Decrypt on all KMS keys, grant this permission only for keys in a particular region relevant to your account. Applying the principle of least privilege helps reduce the risk of unintentional data exposure.
See the IAM Policies and Wildcards and Modifying Customer Managed Policies documentation for steps on how to identify and rectify policies that contain overly permissive KMS permissions.