For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-kms-key-with-full-permissions.md.
A documentation index is available at /llms.txt.
KMS keys must have a strict, explicit key policy because policies that grant broad kms:* permissions to wildcard principals (or omit a policy entirely) allow unintended principals to administer or use the key. This can lead to unauthorized decryption, key compromise, or deletion.
In AWS CloudFormation, inspect AWS::KMS::Key resources and verify Properties.KeyPolicy.Statement[]. A statement will be flagged when Effect is Allow, Action includes kms:*, and Principal is * (or contains wildcard values) without a restrictive Condition. Resources with Properties.KeyPolicy undefined or null are also flagged.
To remediate, define an explicit KeyPolicy, specify principals by ARN or AWS account ID, and limit Action to only the required KMS operations. If you must use kms:*, limit it to trusted administrative principals. You can also add conditions (for example, aws:SourceAccount or aws:PrincipalOrgID) to scope Allow statements.
Secure example with explicit principals and limited actions:
{"Resources":{"RSASigningKey":{"Type":"AWS::KMS::Key","Properties":{"Description":"RSA-3047 asymmetric CMK for signing and verification","KeySpec":"RSA_3072","KeyUsage":"SIGN_VERIFY","KeyPolicy":{"Version":"2012-10-17","Id":"key-default-1","Statement":[{"Sid":"Allow administration of the key","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111122223333:role/Admin"},"Action":["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource":"*"}]}}}}}
Resources:RSASigningKey:Type:AWS::KMS::KeyProperties:Description:RSA-3047 asymmetric CMK for signing and verificationKeySpec:RSA_3072KeyUsage:SIGN_VERIFYKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Allow use of the keyEffect:AllowPrincipal:AWS:arn:aws:iam::111122223333:role/DeveloperAction:- kms:Sign- kms:Verify- kms:DescribeKeyResource:'*'
Non-Compliant Code Examples
{"Resources":{"RSASigningKey":{"Type":"AWS::KMS::Key","Properties":{"Description":"RSA-3047 asymmetric CMK for signing and verification","KeySpec":"RSA_3072","KeyUsage":"SIGN_VERIFY","KeyPolicy":{"Version":"2012-10-17","Id":"key-default-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":"*"},"Action":"kms:*","Resource":"*"}]}}}}}
Resources:RSASigningKey:Type:AWS::KMS::KeyProperties:Description:RSA-3047 asymmetric CMK for signing and verificationKeySpec:RSA_3072KeyUsage:SIGN_VERIFYKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:'*'Action:kms:*Resource:'*'
{"Resources":{"RSASigningKey2":{"Type":"AWS::KMS::Key","Properties":{"Description":"RSA-3047 asymmetric CMK for signing and verification","KeySpec":"RSA_3072","KeyUsage":"SIGN_VERIFY"}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
