More Info:

This rule checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on AWS Key Management Service (KMS) keys. The rule is NON_COMPLIANT if any blocked action is allowed on AWS KMS keys by the managed IAM policy. Note that this rule does not evaluate the conditions provided in IAM policies.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

To remediate the issue of blocked KMS actions in IAM policies in AWS, follow these steps using the AWS Management Console:

  1. Access the AWS IAM Console:

    • Open the AWS Management Console and navigate to the IAM service.
  2. Identify the IAM Policy with Blocked KMS Actions:

    • In the IAM console, click on “Policies” in the left-hand menu.
    • Review the policies attached to the IAM users, groups, or roles to identify the policy that contains blocked KMS actions.
  3. Edit the IAM Policy:

    • Click on the policy that contains the blocked KMS actions to open it for editing.
  4. Update the IAM Policy to Allow KMS Actions:

    • Within the policy document, locate the section that defines the permissions for KMS actions.
    • Modify the policy to allow the necessary KMS actions by adding the required KMS actions to the “Action” section.
  5. Save the Changes:

    • After updating the policy to allow the necessary KMS actions, save the changes to the policy.
  6. Attach the Updated Policy:

    • Once the policy is updated, attach it to the relevant IAM user, group, or role that requires access to KMS actions.
  7. Verify Access:

    • Test the IAM user, group, or role to ensure that they can now perform the necessary KMS actions without any issues.
  8. Monitor and Review:

    • Regularly monitor and review IAM policies to ensure that they do not contain any blocked KMS actions in the future.

By following these steps, you can remediate the issue of blocked KMS actions in IAM policies in AWS and ensure that the necessary permissions are granted for KMS actions as required.