For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-kms-allows-wildcard-principal.md.
A documentation index is available at /llms.txt.
KMS key policies that allow a wildcard principal (*) grant access to any AWS principal, including external or unauthenticated callers. This can enable unauthorized use of keys and lead to data decryption, key management abuse, or privilege escalation. In AWS CloudFormation, the AWS::KMS::Key resource’s Properties.KeyPolicy.Statement[] must not have an Effect: Allow statement where Principal is * (or contains *). Specify explicit principals (AWS account IDs, IAM role or user ARNs, or service principals) and use conditions such as aws:SourceAccount or resource ARN restrictions to narrow access. Statements with Effect: Allow and Principal: '*' will be flagged.
AWSTemplateFormatVersion:2010-09-09Description:A sample templateResources:myKey:Type:AWS::KMS::KeyProperties:Description:An example symmetric CMKKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:arn:aws:iam::111122223333:rootAction:kms:*Resource:'*'- Sid:Allow administration of the keyEffect:AllowPrincipal:AWS:arn:aws:iam::123456789012:user/AliceAction:- kms:Create*- kms:Describe*- kms:Enable*- kms:List*- kms:Put*- kms:Update*- kms:Revoke*- kms:Disable*- kms:Get*- kms:Delete*- kms:ScheduleKeyDeletion- kms:CancelKeyDeletionResource:'*'- Sid:Allow use of the keyEffect:AllowPrincipal:AWS:arn:aws:iam::123456789012:user/BobAction:- kms:DescribeKey- kms:Encrypt- kms:Decrypt- kms:ReEncrypt*- kms:GenerateDataKey- kms:GenerateDataKeyWithoutPlaintextResource:'*'
{"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"A sample template","Resources":{"myKey":{"Type":"AWS::KMS::Key","Properties":{"Description":"An example symmetric CMK","KeyPolicy":{"Version":"2012-10-17","Id":"key-default-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111122223333:root"},"Action":"kms:*","Resource":"*"},{"Sid":"Allow administration of the key","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/Alice"},"Action":["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource":"*"},{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/Bob"},"Action":["kms:DescribeKey","kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey","kms:GenerateDataKeyWithoutPlaintext"],"Resource":"*","Sid":"Allow use of the key"}]}}}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:2010-09-09Description:A sample templateResources:myKey:Type:AWS::KMS::KeyProperties:Description:An example symmetric CMKKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:"*"Action:kms:*Resource:'*'- Sid:Allow administration of the keyEffect:AllowPrincipal:AWS:arn:aws:iam::123456789012:user/AliceAction:- kms:Create*- kms:Describe*- kms:Enable*- kms:List*- kms:Put*- kms:Update*- kms:Revoke*- kms:Disable*- kms:Get*- kms:Delete*- kms:ScheduleKeyDeletion- kms:CancelKeyDeletionResource:'*'- Sid:Allow use of the keyEffect:AllowPrincipal:AWS:arn:aws:iam::123456789012:user/BobAction:- kms:DescribeKey- kms:Encrypt- kms:Decrypt- kms:ReEncrypt*- kms:GenerateDataKey- kms:GenerateDataKeyWithoutPlaintextResource:'*'
{"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"A sample template","Resources":{"myKey":{"Properties":{"Description":"An example symmetric CMK","KeyPolicy":{"Version":"2012-10-17","Id":"key-default-1","Statement":[{"Resource":"*","Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":"*","Action":"kms:*"},{"Sid":"Allow administration of the key","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/Alice"},"Action":["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource":"*"},{"Sid":"Allow use of the key","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/Bob"},"Action":["kms:DescribeKey","kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey","kms:GenerateDataKeyWithoutPlaintext"],"Resource":"*"}]}},"Type":"AWS::KMS::Key"}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
