RCP should limit KMS key access to the Organization
Description
A Resource Control Policy (RCP) should be applied to all AWS accounts to limit KMS key access to the AWS Organization. This control ensures that KMS keys in member accounts cannot be used by principals outside the organization for encryption, decryption, data key generation, or grant operations.
This rule verifies that an RCP denies all eight KMS data-plane and grant actions when aws:PrincipalOrgID does not match the organization ID:
kms:Encryptkms:Decryptkms:GenerateDataKeykms:GenerateDataKeyWithoutPlaintextkms:ReEncryptFromkms:ReEncryptTokms:CreateGrantkms:DescribeKey
Alternatively, a wildcard action (kms:* or *) satisfies the requirement. The actions can be split across multiple deny statements within the same policy — the rule aggregates all denied actions from statements that include the org boundary condition. Denying only a subset of these actions leaves gaps — for example, denying Decrypt but not ReEncryptTo still allows an external principal to re-encrypt data to a key they control.
Each deny statement must use a StringNotEquals or StringNotEqualsIfExists condition on aws:PrincipalOrgID to enforce the organization boundary. Actions in statements without this condition are not counted toward coverage.
Note: AWS service principals should be exempted using aws:PrincipalIsAWSService conditions to avoid disrupting AWS-managed encryption operations. Trusted external accounts can be exempted using aws:PrincipalAccount conditions where cross-organization access is required.
Create a Resource Control Policy that explicitly denies all eight KMS actions listed above (or kms:*) using Action (not NotAction) from principals outside the organization and attach it to the organization root. The deny statement must include a StringNotEquals or StringNotEqualsIfExists condition on aws:PrincipalOrgID. Refer to the RCP syntax documentation and the data perimeter policy examples for guidance.
