--- title: RCP must limit KMS key access to the Organization for regulated accounts description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > RCP must limit KMS key access to the Organization for regulated accounts --- # RCP must limit KMS key access to the Organization for regulated accounts ## Description{% #description %} A Resource Control Policy (RCP) must be applied to all regulated AWS accounts to limit KMS key access to the AWS Organization. Without an RCP restricting KMS operations by organization boundary, principals outside the organization could potentially encrypt, decrypt, or generate data keys using KMS keys in member accounts. This rule verifies that an RCP denies **all eight KMS data-plane and grant actions** when `aws:PrincipalOrgID` does not match the organization ID: - `kms:Encrypt` - `kms:Decrypt` - `kms:GenerateDataKey` - `kms:GenerateDataKeyWithoutPlaintext` - `kms:ReEncryptFrom` - `kms:ReEncryptTo` - `kms:CreateGrant` - `kms:DescribeKey` Alternatively, a wildcard action (`kms:*` or `*`) satisfies the requirement. The actions can be split across multiple deny statements within the same policy — the rule aggregates all denied actions from statements that include the org boundary condition. Denying only a subset of these actions leaves gaps — for example, denying `Decrypt` but not `ReEncryptTo` still allows an external principal to re-encrypt data to a key they control. Each deny statement must use a `StringNotEquals` or `StringNotEqualsIfExists` condition on `aws:PrincipalOrgID` to enforce the organization boundary. Actions in statements without this condition are not counted toward coverage. **Note:** This is a mandatory control for regulated accounts. AWS service principals should be exempted using `aws:PrincipalIsAWSService` conditions. Trusted external accounts can be exempted using `aws:PrincipalAccount` conditions where required. ## Remediation{% #remediation %} Create a Resource Control Policy that explicitly denies all eight KMS actions listed above (or `kms:*`) using `Action` (not `NotAction`) from principals outside the organization and attach it to the OUs containing regulated accounts. The deny statement must include a `StringNotEquals` or `StringNotEqualsIfExists` condition on `aws:PrincipalOrgID`. Refer to the [RCP syntax documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html) and the [data perimeter policy examples](https://github.com/aws-samples/data-perimeter-policy-examples) for guidance.