block-kms-policy-wildcard
Explanation
IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the kms:Decrypt or kms:ReEncryptFrom permissions and only for the keys that are required to perform a task.
Possible Impact
Identities may be able to decrypt data which they should not have access to
Suggested Resolution
Scope down the resources of the IAM policy to specific keys
Insecure Example
The following example will fail the aws-iam-block-kms-policy-wildcard check.
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
policy = data.aws_iam_policy_document.kms_policy.json
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
data "aws_iam_policy_document" "kms_policy" {
statement {
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = ["kms:*"]
resources = ["*"]
}
}
Secure Example
The following example will pass the aws-iam-block-kms-policy-wildcard check.
resource "aws_kms_key" "main" {
enable_key_rotation = true
}
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
policy = data.aws_iam_policy_document.kms_policy.json
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
data "aws_iam_policy_document" "kms_policy" {
statement {
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = ["kms:*"]
resources = [aws_kms_key.main.arn]
}
}