RCP should limit KMS key access to the Organization

iam
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

A Resource Control Policy (RCP) should be applied to all AWS accounts to limit KMS key access to the AWS Organization. This control ensures that KMS keys in member accounts cannot be used by principals outside the organization for encryption, decryption, data key generation, or grant operations. An RCP restricting KMS operations by aws:PrincipalOrgID establishes a data perimeter that prevents unauthorized external access to cryptographic resources.

This rule also flags RCPs that use NotAction to exempt KMS actions from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

Note: AWS service principals should be exempted using aws:PrincipalIsAWSService conditions to avoid disrupting AWS-managed encryption operations. Trusted external accounts can be exempted using aws:PrincipalAccount conditions where cross-organization access is required.

Remediation

Create a Resource Control Policy that explicitly denies KMS operations using Action (not NotAction) from principals outside the organization and attach it to the organization root. Remove any NotAction-based deny statements that exempt KMS actions. The RCP should deny kms:* or specific KMS data-plane actions with an aws:PrincipalOrgID condition. Refer to the RCP syntax documentation and the data perimeter policy examples for guidance.