AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Blocked KMS Actions In IAM Policies Should Be Set
More Info:
This rule checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on AWS Key Management Service (KMS) keys. The rule is NON_COMPLIANT if any blocked action is allowed on AWS KMS keys by the managed IAM policy. Note that this rule does not evaluate the conditions provided in IAM policies.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the issue of blocked KMS actions in IAM policies in AWS, follow these steps using the AWS Management Console:
-
Access the AWS IAM Console:
- Open the AWS Management Console and navigate to the IAM service.
-
Identify the IAM Policy with Blocked KMS Actions:
- In the IAM console, click on “Policies” in the left-hand menu.
- Review the policies attached to the IAM users, groups, or roles to identify the policy that contains blocked KMS actions.
-
Edit the IAM Policy:
- Click on the policy that contains the blocked KMS actions to open it for editing.
-
Update the IAM Policy to Allow KMS Actions:
- Within the policy document, locate the section that defines the permissions for KMS actions.
- Modify the policy to allow the necessary KMS actions by adding the required KMS actions to the “Action” section.
-
Save the Changes:
- After updating the policy to allow the necessary KMS actions, save the changes to the policy.
-
Attach the Updated Policy:
- Once the policy is updated, attach it to the relevant IAM user, group, or role that requires access to KMS actions.
-
Verify Access:
- Test the IAM user, group, or role to ensure that they can now perform the necessary KMS actions without any issues.
-
Monitor and Review:
- Regularly monitor and review IAM policies to ensure that they do not contain any blocked KMS actions in the future.
By following these steps, you can remediate the issue of blocked KMS actions in IAM policies in AWS and ensure that the necessary permissions are granted for KMS actions as required.
To remediate the misconfiguration of blocked KMS actions in IAM policies in AWS using AWS CLI, follow these steps:
-
Identify the IAM policy that is blocking KMS actions:
Use the following AWS CLI command to list all IAM policies that have explicit deny statements for KMS actions:
aws iam list-policies --query "Policies[?PolicyId != null].{PolicyName:PolicyName, PolicyId:PolicyId}" --output table
Look for the IAM policy that is blocking KMS actions.
-
Update the IAM policy to allow the necessary KMS actions:
Use the following AWS CLI command to update the IAM policy to allow the necessary KMS actions. Replace
POLICY_ARN
with the ARN of the IAM policy that needs to be updated andKMS_ACTION
with the specific KMS action that needs to be allowed (e.g.,kms:Encrypt
):aws iam create-policy-version --policy-arn POLICY_ARN --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "KMS_ACTION", "Resource": "*" } ] }'
This command will create a new version of the IAM policy that allows the specified KMS action.
-
Set the new policy version as the default version:
Use the following AWS CLI command to set the newly created policy version as the default version for the IAM policy. Replace
POLICY_ARN
with the ARN of the IAM policy that was updated:aws iam set-default-policy-version --policy-arn POLICY_ARN --version-id v2
Replace
v2
with the version number of the policy version that was created in the previous step. -
Verify the IAM policy changes:
Use the following AWS CLI command to verify that the IAM policy now allows the necessary KMS actions. Replace
POLICY_ARN
with the ARN of the IAM policy that was updated:aws iam get-policy-version --policy-arn POLICY_ARN --version-id v2
This command will display the details of the updated IAM policy version, including the allowed KMS actions.
By following these steps, you can remediate the misconfiguration of blocked KMS actions in IAM policies in AWS using AWS CLI.
To remediate the issue of blocked KMS actions in IAM policies in AWS using Python, you can follow these steps:
-
Identify the IAM policies that are blocking KMS actions:
- You can use the AWS SDK for Python (Boto3) to list all the IAM policies in your AWS account.
- For each policy, check if it contains any explicit deny statements that block KMS actions.
-
Update the IAM policies to allow necessary KMS actions:
- For policies that are blocking KMS actions, modify the policy to allow the required KMS actions.
- You can use the
update_policy
method in Boto3 to update the IAM policy with the correct permissions.
-
Test the IAM policies:
- After updating the IAM policies, test the permissions to ensure that the users or roles can now perform the necessary KMS actions.
Here is a sample Python script to remediate the blocked KMS actions in IAM policies:
import boto3
# Initialize the IAM client
iam_client = boto3.client('iam')
# List all IAM policies
response = iam_client.list_policies()
for policy in response['Policies']:
policy_arn = policy['Arn']
# Get the policy document
policy_version = iam_client.get_policy_version(
PolicyArn=policy_arn,
VersionId=policy['DefaultVersionId']
)
policy_document = policy_version['PolicyVersion']['Document']
# Check if the policy contains explicit deny statements for KMS actions
for statement in policy_document['Statement']:
if statement.get('Effect') == 'Deny' and 'kms' in statement.get('Action', ''):
# Update the policy to allow necessary KMS actions
statement['Effect'] = 'Allow'
# Update the policy with the modified document
iam_client.create_policy_version(
PolicyArn=policy_arn,
PolicyDocument=policy_document,
SetAsDefault=True
)
print(f"Policy {policy_arn} updated to allow KMS actions.")
Please ensure that you have the necessary permissions to modify IAM policies before running this script. Also, customize the script as per your specific requirements and policies in your AWS account.