KMS key policy should not allow everyone to use it

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.


KMS keys are assigned a resource-based policy that controls who can use and manage the key.


When the key policy is misconfigured, it can allow any unauthenticated user with knowledge of the key ID to use it for encryption, decryption, signing and verification purposes.


From the console

  1. Go to the list of customer-managed KMS keys at

  2. Click the vulnerable KMS key name.

  3. In the Key Policy tab, remove the statement making the key publicly accessible.

From the command line

  1. Retrieve the current key policy:
aws kms get-key-policy \
   --key-id <KEY_ARN> \
   --policy-name default \
   --query Policy --output text > key_policy.json
  1. Remove the statement making the key publicly accessible, then update the key policy:
aws kms put-key-policy \
   --key-id <KEY_ARN> \
   --policy-name default \
   --policy file://./key_policy.json


  1. []
  2. []