IAM Analyzer & ams/acm Key Policy

Question

Following the announcement regarding the IAM Analyzer, I ran it in relevant regions and a 'finding' showed up for us-east-1. The transcript of the finding is here (I've removed my account number and tweaked the ARN):

```
[
  {
    "action": [
      "kms:Decrypt"
    ],
    "analyzedAt": "2019-12-03T16:50:47.000Z",
    "condition": {},
    "createdAt": "2019-12-03T16:32:58.000Z",
    "id": "32f520ad-4074-4535-9e68-9d1343bff519",
    "isPublic": false,
    "principal": {
      "AWS": "237498168996"
    },
    "resource": "arn:aws:kms:us-east-1:xxxxxxxxxxxx:key/99bba141-3014-46c3-8829-deadbeef",
    "resourceType": "AWS::KMS::Key",
    "status": "ACTIVE",
    "updatedAt": "2019-12-03T16:32:58.000Z"
  }
]
```

Two things are unclear. Firstly, where did that principal account number come from, it is nothing to do with me. And secondly, although clicking through the ARN link under Resource in the Findings detail takes me to the Customer Managed Keys section of KMS (breadcrumb link reads: KMS > Customer managed keys > Key ID: 99bba141-3014-46c3-8829-deadbeef) this isn't a CMK, it's an AWS managed key with the alias aws/acm and a key policy I can only view?  
  
I believe the key policy itself to be safe as it has Condition restrictions to my account for all Allow entries, the 'finding' makes no sense when no other AWS managed keys are listed (and there are some in there) or that it isn't a CMK, it's an AWS managed key?!  
  
Screenshot attached. Interested in any thoughts.  
  
Robert.

Answer

Hello jfdurocher and rswift,  
  
Thank you for reaching out to us and providing feedback. I'm happy to provide you with an understanding of why you saw the finding and why it was resolved.   
  
The findings generated by IAM Access Analyzer for KMS keys are comprehensive and provide visibility into access allowed not just KMS key policies but also by a policy-equivalent configuration feature provided by KMS called KMS grants: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html. You might not see the accounts in question in your KMS key policy because the permissions are allowed by grants, which are not currently visible in the console. Similar to the case with  , there are certain AWS-owned accounts associated to specific AWS services that require permissions to take actions on behalf of customers. We have confirmed that the accounts that appeared in your findings are AWS-owned accounts belonging to AWS services and the access shared by the finding is intended for the functioning of the AWS service.  
  
We have updated the analysis to ensure new findings from AWS-owned accounts are not flagged as Active findings and existing findings are automatically resolved. Hope this helps!  
  
Thank you,  
Ujjwal

Answer

Thank you @ujjwal-aws for this explanation/update it is much appreciated.

Answer

Fingers crossed this is a teething issue with the new service? I've trawled CloudTrail for every region and cannot find any reference to the policy creation from the time shown in the KMS console, it's a definite weirdy!?  
  
I wonder if we've stumbled upon  accounts? 🤣🕵️‍♂️😒

Answer

Closing this forum thread as answered. Happy to provide answers to follow-up questions.

Answer

> _jfdurocher wrote:_    
> @rswift, not sure what happened there but it seems the issue is now marked as Resolved although I haven't changed a setting, I did ran all the logging possible but nothing in my settings might have been something on Amazon side but I wish I could have some explanation.  
>   
> Hoping it will be resolved for you too.  
  
How peculiar? The finding is magically resolved for me too! I couldn't agree more, this seems to have lifted the AWS kimono just a little and we've seen underneath, their transparency isn't great given the key still exists but no longer links to a CMK, question is, was this a KMS issue that the Analyser uncovered, or an Analyser issue? If it is the former, then that feels more of an issue. But especially strange that we had different principals...  
  
I 'm sure we'll never get an answer... &#129335;‍♂️

Answer

I too have the exact same behavior from Access Analyser but with a different "Principal" unknown account that has nothing to do with me. Basically @rswift situation is a copy and paste of mine even with the AWS Managed key showing up as CMK.

Answer

@rswift, not sure what happened there but it seems the issue is now marked as Resolved although I haven't changed a setting, I did ran all the logging possible but nothing in my settings might have been something on Amazon side but I wish I could have some explanation.  
  
Hoping it will be resolved for you too.

Answer

Thank you for the follow up, much appreciated.

IAM Analyzer & ams/acm Key Policy

Relevant content