HIGH KMS

KMS key policy

Check ID: aws-kms-002

AWS-KMS-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for customer-managed KMS keys with wildcard Principal (*) in the key policy without conditions.

Why it matters

A KMS key policy with Principal: * and no conditions allows any AWS principal - including principals from other AWS accounts - to use the key for encryption, decryption, and key management operations. This effectively makes your encryption meaningless because any entity can decrypt your data. In cross-account attack scenarios, an attacker who discovers your KMS key ARN can decrypt data from their own AWS account. AWS Security Hub found that overly permissive KMS key policies affect 15% of customer-managed keys. Key policies should follow least privilege by specifying exact IAM ARNs and using conditions like kms:ViaService to restrict usage to specific AWS services.

Common causes

Wildcard principal policies appear when teams copy the default key policy example from AWS documentation that uses "*" for the root account and then modify it incorrectly. Engineers troubleshooting cross-account encryption access may broaden the principal to "*" as a quick fix and forget to scope it back. Some automated key creation tools generate permissive default policies that grant access to any principal without conditions.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws kms get-key-policy --key-id KEY_ID --policy-name default --region REGION --output text > policy.json
# Edit policy.json to replace '*' with specific ARNs
aws kms put-key-policy --key-id KEY_ID --policy-name default --policy file://policy.json --region REGION

Remediation: Terraform

resource "aws_kms_key" "example" {
  policy = jsonencode({
    Statement = [{
      Effect    = "Allow"
      Principal = { AWS = "arn:aws:iam::ACCOUNT_ID:root" }
      Action   = "kms:*"
      Resource = "*"
    }]
  })
}

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related KMS checks

MEDIUM aws-kms-001

KMS key rotation

← All checks