Streamlining KMS Administrative Access Audits: A Practical Guide for DORA (Digital Operational Resilience Act), and Compliance Requirements

Understanding the Audit Scope

Administrative operations on KMS keys represent the control plane for cryptographic infrastructure. The relevant operations include key policy and grant management, enabling and disabling keys, and scheduling key deletion. These administrative actions differ fundamentally from data plane operations like encryption and decryption. For audit purposes, organizations must document who can perform management operations like kms:PutKeyPolicy, kms:ScheduleKeyDeletion, kms:CancelKeyDeletion, kms:EnableKey, kms:DisableKey, kms:CreateGrant, kms:RevokeGrant, kms:EnableKeyRotation, and kms:DisableKeyRotation. The complexity arises because effective permissions in AWS KMS result from evaluating both the key policy attached to each KMS key and the IAM policies attached to principals attempting to access those keys. Every KMS key must have a key policy, and this policy works in conjunction with IAM policies to determine final authorization decisions. Organizations must demonstrate this combined permission model to satisfy audit requirements.

AWS Native Tools for Evidence Collection

AWS provides several services that facilitate audit evidence gathering for KMS administrative access documentation. AWS Audit Manager serves as the central orchestration service for compliance evidence collection. While Audit Manager doesn't provide a pre-configured report specifically for KMS administrative access mapping, it offers frameworks for various compliance standards and can collect evidence from multiple AWS data sources including AWS Config, AWS CloudTrail, AWS Security Hub, and direct API calls. Organizations can create custom controls within Audit Manager that collect evidence using these data sources, then organize that evidence into assessments aligned with their audit requirements. The Evidence Finder feature within Audit Manager allows querying collected evidence with filters for specific services, controls, and compliance status, making it valuable for organizing and retrieving audit-ready documentation. AWS IAM Access Analyzer provides critical capabilities for identifying which principals have administrative access to KMS keys. Access Analyzer programmatically evaluates resource policies and IAM policies together to determine effective permissions, which directly addresses the audit requirement to document who has administrative access resulting from the combination of authorization mechanisms. Access Analyzer can identify external access to KMS keys and unused access, helping organizations demonstrate least privilege principles during audits. AWS Config enables continuous monitoring of KMS key configurations, key policies, and related IAM role permissions. Organizations can establish Config rules to evaluate whether KMS administrative permissions align with security baselines and generate compliance reports demonstrating ongoing monitoring. Config maintains a configuration history that provides point-in-time views of key policies and IAM configurations, which auditors typically require to validate that controls were effective during the audit period. AWS CloudTrail logs every API call made to AWS KMS, including all administrative operations. The logs capture details of the user identity, timestamp, operation performed, and the specific key involved. This provides an audit trail demonstrating actual administrative actions taken against KMS keys, complementing the permission documentation by showing how those permissions were exercised.

Recommended Approach for Producing Audit Evidence

Organizations should implement a systematic approach combining programmatic data extraction with structured documentation to produce comprehensive audit evidence. Start by inventorying all KMS keys across all regions where your organization operates. Using AWS CLI or SDK, systematically execute aws kms list-keys for each region to create a complete inventory. For each identified key, retrieve detailed metadata and the key policy using aws kms get-key-policy. This establishes the foundational dataset showing what cryptographic keys exist and their configured authorization policies. Next, analyze IAM roles to identify those with KMS administrative permissions. According to AWS KMS role-based access control guidance, key administrators typically have permissions for Create, Describe, Enable, Put, Update, Revoke, Disable, Delete, ScheduleKeyDeletion, and CancelKeyDeletion actions. Programmatically examine IAM role policies, both inline and attached, to identify roles containing these administrative permission patterns. IAM policy simulation capabilities can help determine whether specific roles have effective administrative access to each KMS key. Document the effective permissions by combining key policy evaluation with IAM policy analysis. Since AWS KMS authorization requires both the key policy and IAM policies to allow an action, your evidence must demonstrate how these authorization layers interact. For each KMS key, identify which IAM roles have statements in the key policy allowing administrative actions, then cross-reference with the IAM policies attached to those roles to confirm effective administrative permissions. Include grant documentation in your evidence package. KMS grants provide time-bound permissions that can include administrative operations, representing an alternative authorization mechanism beyond key policies and IAM policies. Execute aws kms list-grants for each key to document active grants, their associated principals, and their permitted operations, ensuring your administrative access documentation is complete.

Structuring Audit-Ready Documentation

Format your evidence output on a per-key basis with clearly defined sections. Each key's documentation should include key metadata such as the key ID, ARN, creation date, key state, and key manager type. Include the complete key policy in JSON format exactly as configured, since auditors need to review the actual policy statements. Document all identified IAM roles with administrative permissions, listing the specific administrative actions each role can perform based on effective permission evaluation. If grants exist, document the grant tokens, grantee principals, and operations permitted through each grant. Maintain version control and precise timestamps for all extracted policies and configurations. Audit evidence must be point-in-time accurate, demonstrating the state of your environment at a specific moment or throughout a specific period. Consider implementing automated scheduled extraction of this information rather than one-time evidence gathering, as this demonstrates continuous compliance monitoring and provides trend data showing how administrative access controls evolve over time. Document your access control separation by clearly showing the distinction between key administrators and key users. AWS recommends following a role-based access control model where administrative permissions are separated from cryptographic usage permissions. This separation demonstrates defense-in-depth principles and least privilege practices that auditors expect to see.

Implementation Considerations

Creating custom scripts using AWS CLI or AWS SDK provides maximum control over evidence format and completeness. Python with boto3 represents a common implementation choice, though any SDK-supported language works effectively. Your scripts should iterate through all regions where KMS keys exist, extract key policies and metadata for each key, perform IAM policy analysis to identify roles with administrative permissions, and compile everything into a structured report format suitable for auditor review. Organizations with multi-account AWS environments should implement their evidence collection across all accounts within their AWS Organization. AWS Config aggregators and AWS Audit Manager support multi-account assessments, allowing centralized evidence collection across your entire AWS footprint. This ensures complete coverage and prevents audit findings related to incomplete scope. While AWS doesn't provide a single pre-built report combining all KMS administrative access elements required for comprehensive audits, the combination of AWS Audit Manager for evidence orchestration, IAM Access Analyzer for permission analysis, AWS Config for continuous monitoring, and custom scripting for documentation compilation represents the most effective approach for producing complete audit-ready evidence. Organizations can reference AWS KMS best practices documentation for implementing proper access controls, including the principle of least privilege, separation of duties between key administrators and key users, and regular review of permissions to prevent privilege creep over time. These practices not only help during audits but strengthen overall cryptographic key management security posture.

Sources: Supported data source types for automated evidence - AWS Audit Manager ISO/IEC 27001:2013 Annex A - AWS Audit Manager Audit Manager - ISO27001 | AWS re:Post Audit Capabilities - Navigating GDPR Compliance on AWS