How Can I Satisfy KMS.1 in Security Hub Findings

Question

KMS.1 states that "IAM customer managed policies should not allow decryption actions on all KMS keys." Further, the documentation provides the following example for a satisfying this finding "For example, do not allow kms:Decrypt permission on all KMS keys. Instead, allow kms:Decrypt only on keys in a particular Region for your account."  So, the resources that I'm including are limited to "arn:aws:kms:us-east-1:123456789012:key/*" which, according to the example, should be satisfactory. However, Security Hub is still issuing a finding. It seems to me, you can't get away with using "key/*" in any situation - rather that I have to identify some portion of the key id to remediate the finding? My instances require access to a number of keys across a few accounts so having to identify each individual key can get cumbersome. Any suggestions would be greatly appreciated. Thanks!

Answer

You're having a problem with AWS IAM policies for KMS keys. The rule KMS.1 says you shouldn't allow decryption on all keys, and you tried to limit it to keys in a specific region. However, you're still getting issues from Security Hub.

To fix this, you need to be more specific in your policy. You can use tags on your keys or specify key name prefixes. Be careful not to make your policy too permissive. It's essential to balance security and convenience.

Few things to take in consideration:

Use Resource Tags: Consider tagging your KMS keys with specific attributes, (e. g. "Environment," "Application," or "Project") Then, you can use resource-based policies that refer to these tags to grant kms:Decrypt permissions. This way, you can grant permissions to groups of keys based on their tags.

Prefix Matching: If your keys are named with prefixes like "prod-key-" or "dev-key-", you can specify those prefixes in your policy to allow decryption only for keys with matching prefixes.

How Can I Satisfy KMS.1 in Security Hub Findings

Relevant content