> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Blocked KMS Actions In Inline Policies Should Be Set

### More Info:

This rule checks if the inline policies attached to your IAM roles do not allow blocked actions on all AWS Key Management Service (KMS) keys. The rule is NON\_COMPLIANT if any blocked action is allowed on all AWS KMS keys in an inline policy.

### Risk Level

Medium

### Address

Security

### Compliance Standards

CBP

### Triage and Remediation

<Tabs>
  <Tab title="Prevention">
    ### How to Prevent

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To prevent blocked KMS actions in inline policies in IAM using the AWS Management Console, follow these steps:

        1. **Navigate to IAM Policies:**
           * Open the AWS Management Console.
           * In the navigation pane, choose "Policies" under the "Access management" section.

        2. **Create or Edit a Policy:**
           * To create a new policy, click on the "Create policy" button.
           * To edit an existing policy, find the policy you want to modify and click on its name, then click the "Edit policy" button.

        3. **Specify KMS Actions:**
           * In the policy editor, switch to the "JSON" tab.
           * Ensure that the policy explicitly specifies the allowed KMS actions. For example:
             ```json theme={null}
             {
               "Version": "2012-10-17",
               "Statement": [
                 {
                   "Effect": "Allow",
                   "Action": [
                     "kms:Encrypt",
                     "kms:Decrypt",
                     "kms:GenerateDataKey"
                   ],
                   "Resource": "*"
                 }
               ]
             }
             ```

        4. **Review and Save:**
           * After specifying the allowed KMS actions, click on the "Review policy" button.
           * Provide a name and description for the policy if creating a new one.
           * Click on the "Create policy" or "Save changes" button to apply the policy.

        By following these steps, you ensure that the inline policies in IAM explicitly allow the necessary KMS actions, preventing any misconfigurations related to blocked KMS actions.
      </Accordion>

      <Accordion title="Using CLI">
        To prevent blocked KMS actions in inline policies in IAM using AWS CLI, you can follow these steps:

        1. **Create a JSON Policy Document**:
           * First, create a JSON file that defines the inline policy with the necessary permissions and explicitly denies the blocked KMS actions.
           * Example JSON policy (`policy.json`):
             ```json theme={null}
             {
               "Version": "2012-10-17",
               "Statement": [
                 {
                   "Effect": "Allow",
                   "Action": [
                     "kms:Encrypt",
                     "kms:Decrypt",
                     "kms:GenerateDataKey"
                   ],
                   "Resource": "*"
                 },
                 {
                   "Effect": "Deny",
                   "Action": [
                     "kms:DisableKey",
                     "kms:ScheduleKeyDeletion"
                   ],
                   "Resource": "*"
                 }
               ]
             }
             ```

        2. **Attach the Inline Policy to an IAM User**:
           * Use the `put-user-policy` command to attach the inline policy to a specific IAM user.
           * Command:
             ```sh theme={null}
             aws iam put-user-policy --user-name <username> --policy-name <policy-name> --policy-document file://policy.json
             ```

        3. **Attach the Inline Policy to an IAM Group**:
           * Use the `put-group-policy` command to attach the inline policy to a specific IAM group.
           * Command:
             ```sh theme={null}
             aws iam put-group-policy --group-name <groupname> --policy-name <policy-name> --policy-document file://policy.json
             ```

        4. **Attach the Inline Policy to an IAM Role**:
           * Use the `put-role-policy` command to attach the inline policy to a specific IAM role.
           * Command:
             ```sh theme={null}
             aws iam put-role-policy --role-name <rolename> --policy-name <policy-name> --policy-document file://policy.json
             ```

        By following these steps, you can ensure that the necessary KMS actions are allowed while explicitly denying the blocked KMS actions in inline policies using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To prevent blocked KMS actions in inline policies in IAM using Python scripts, you can use the AWS SDK for Python (Boto3). Here are the steps to achieve this:

        ### Step 1: Install Boto3

        Ensure you have Boto3 installed in your Python environment. You can install it using pip if you haven't already:

        ```bash theme={null}
        pip install boto3
        ```

        ### Step 2: Initialize Boto3 Client

        Initialize the Boto3 client for IAM:

        ```python theme={null}
        import boto3

        iam_client = boto3.client('iam')
        ```

        ### Step 3: Define the Inline Policy

        Create a JSON structure for the inline policy that blocks specific KMS actions. For example, you can block the `kms:Decrypt` action:

        ```python theme={null}
        inline_policy = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Deny",
                    "Action": [
                        "kms:Decrypt"
                    ],
                    "Resource": "*"
                }
            ]
        }
        ```

        ### Step 4: Attach the Inline Policy to an IAM User or Role

        Attach the inline policy to a specific IAM user or role. Here’s an example of attaching it to a user:

        ```python theme={null}
        user_name = 'your-iam-user-name'
        policy_name = 'BlockKMSActionsPolicy'

        response = iam_client.put_user_policy(
            UserName=user_name,
            PolicyName=policy_name,
            PolicyDocument=json.dumps(inline_policy)
        )

        print(f"Policy {policy_name} attached to user {user_name}")
        ```

        ### Full Script Example

        Here is the complete script combining all the steps:

        ```python theme={null}
        import boto3
        import json

        # Initialize Boto3 client
        iam_client = boto3.client('iam')

        # Define the inline policy
        inline_policy = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Deny",
                    "Action": [
                        "kms:Decrypt"
                    ],
                    "Resource": "*"
                }
            ]
        }

        # Attach the inline policy to an IAM user
        user_name = 'your-iam-user-name'
        policy_name = 'BlockKMSActionsPolicy'

        response = iam_client.put_user_policy(
            UserName=user_name,
            PolicyName=policy_name,
            PolicyDocument=json.dumps(inline_policy)
        )

        print(f"Policy {policy_name} attached to user {user_name}")
        ```

        ### Summary

        1. **Install Boto3**: Ensure Boto3 is installed in your Python environment.
        2. **Initialize Boto3 Client**: Set up the IAM client using Boto3.
        3. **Define the Inline Policy**: Create a JSON structure for the inline policy to block specific KMS actions.
        4. **Attach the Inline Policy**: Use the `put_user_policy` method to attach the policy to an IAM user.

        By following these steps, you can prevent blocked KMS actions in inline policies using Python scripts.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

        2. In the navigation pane, choose "Policies". This will open a list of all the IAM policies that are currently configured in your AWS environment.

        3. Select the policy you want to check for blocked KMS actions. This will open the policy details page.

        4. In the policy details page, check the policy document for any "Deny" statements that are applied to KMS actions. If there are any "Deny" statements applied to KMS actions, then the policy is blocking those actions.
      </Accordion>

      <Accordion title="Using CLI">
        1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to execute IAM related commands.

        2. Once the AWS CLI is set up, you can list all the IAM policies using the following command:
           ```
           aws iam list-policies --scope Local
           ```
           This command will return a list of all the IAM policies that are created within your AWS account.

        3. For each policy, you can get the policy details including the policy document by using the following command:
           ```
           aws iam get-policy-version --policy-arn <Policy_ARN> --version-id <Policy_Version_ID>
           ```
           Replace `<Policy_ARN>` with the ARN of the policy and `<Policy_Version_ID>` with the version ID of the policy. This command will return the policy document which includes the permissions set by the policy.

        4. Now, you need to check the policy document for any blocked KMS actions. You can do this by looking for "kms:Deny" statements in the policy document. If you find any such statements, it means that some KMS actions are blocked in the inline policy. You can use a JSON parser or a script to automate this process. For example, in Python, you can use the `json` module to parse the policy document and check for blocked KMS actions.
      </Accordion>

      <Accordion title="Using Python">
        1. Install and configure AWS SDK for Python (Boto3):
           You need to install and configure Boto3 to interact with AWS services. You can install it using pip:
           ```
           pip install boto3
           ```
           Then, configure your AWS credentials either by setting the following environment variables:
           ```
           AWS_ACCESS_KEY_ID = 'your_access_key'
           AWS_SECRET_ACCESS_KEY = 'your_secret_key'
           ```
           Or, you can create the credential file yourself at \~/.aws/credentials. At a minimum, it should look like this:
           ```
           [default]
           aws_access_key_id = YOUR_ACCESS_KEY
           aws_secret_access_key = YOUR_SECRET_KEY
           ```

        2. Use Boto3 to list all IAM policies:
           You can use the `list_policies` method to retrieve all IAM policies. Here is a sample script:
           ```python theme={null}
           import boto3

           # Create IAM client
           iam = boto3.client('iam')

           # List policies
           response = iam.list_policies(Scope='All')
           for policy in response['Policies']:
               print(policy['PolicyName'])
           ```

        3. Get the policy details:
           For each policy, you can use the `get_policy` method to retrieve the policy details, including the policy document. Here is a sample script:
           ```python theme={null}
           import boto3

           # Create IAM client
           iam = boto3.client('iam')

           # Get policy
           response = iam.get_policy(PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess')
           policy_document = response['Policy']['PolicyDocument']
           print(policy_document)
           ```

        4. Check for blocked KMS actions:
           You can parse the policy document to check if it contains any blocked KMS actions. Here is a sample script:
           ```python theme={null}
           import boto3
           import json

           # Create IAM client
           iam = boto3.client('iam')

           # Get policy
           response = iam.get_policy(PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess')
           policy_document = response['Policy']['PolicyDocument']

           # Parse policy document
           policy_document = json.loads(policy_document)

           # Check for blocked KMS actions
           for statement in policy_document['Statement']:
               if 'kms:Decrypt' in statement['Action'] and statement['Effect'] == 'Deny':
                   print('Blocked KMS action found: kms:Decrypt')
           ```
           This script checks if the 'kms:Decrypt' action is blocked. You can modify it to check for other KMS actions.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the issue of blocked KMS actions in inline policies in AWS IAM using the AWS Management Console, follow these step-by-step instructions:

        1. **Login to AWS Management Console:**
           * Open your web browser and go to the AWS Management Console ([https://aws.amazon.com/](https://aws.amazon.com/)).
           * Enter your credentials to login to the AWS Management Console.

        2. **Navigate to IAM Service:**
           * Once you are logged in, navigate to the IAM service by typing "IAM" in the search bar at the top of the AWS Management Console and selecting IAM from the search results.

        3. **Locate the User or Role with Inline Policies:**
           * In the IAM dashboard, click on "Users" or "Roles" from the left-hand side menu, depending on whether the inline policy is attached to a user or a role.
           * Search for the user or role that has the inline policy with blocked KMS actions.

        4. **Edit Inline Policy:**
           * Click on the user or role name to view its details.
           * Scroll down to the "Permissions" tab and locate the inline policy that contains the blocked KMS actions.
           * Click on the policy name to edit it.

        5. **Update the Policy to Allow KMS Actions:**
           * Within the inline policy editor, locate the section that specifies the blocked KMS actions.
           * Update the policy to allow the necessary KMS actions by adding the required permissions. You can refer to the AWS KMS documentation ([https://docs.aws.amazon.com/kms/](https://docs.aws.amazon.com/kms/)) for the list of KMS actions and their corresponding permissions.

        6. **Review and Save the Policy:**
           * After updating the inline policy to allow the required KMS actions, review the changes to ensure that the policy is correctly configured.
           * Click on the "Save" button to save the changes to the inline policy.

        7. **Verify the Changes:**
           * Once the inline policy is updated and saved, verify that the blocked KMS actions are now allowed for the user or role.
           * You can test the permissions by attempting to perform the KMS actions that were previously blocked.

        8. **Monitor for Compliance:**
           * Regularly monitor the IAM policies to ensure that there are no misconfigurations or blocked actions, and address any issues promptly.

        By following these steps, you can remediate the issue of blocked KMS actions in inline policies in AWS IAM using the AWS Management Console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the issue of blocked KMS actions in inline policies in AWS IAM using AWS CLI, you can follow these steps:

        1. Identify the inline policy attached to the IAM user, group, or role that contains the blocked KMS actions. You can use the following AWS CLI command to list the inline policies attached to a specific IAM entity (replace `IAM_ENTITY_NAME` with the actual name of the IAM user, group, or role):

        ```
        aws iam list-user-policies --user-name IAM_ENTITY_NAME
        aws iam list-group-policies --group-name IAM_ENTITY_NAME
        aws iam list-role-policies --role-name IAM_ENTITY_NAME
        ```

        2. Once you have identified the inline policy that contains the blocked KMS actions, you need to update the policy to allow those actions. You can use the following AWS CLI command to update the inline policy (replace `IAM_ENTITY_NAME` and `POLICY_NAME` with the actual names):

        ```
        aws iam put-user-policy --user-name IAM_ENTITY_NAME --policy-name POLICY_NAME --policy-document file://policy.json
        aws iam put-group-policy --group-name IAM_ENTITY_NAME --policy-name POLICY_NAME --policy-document file://policy.json
        aws iam put-role-policy --role-name IAM_ENTITY_NAME --policy-name POLICY_NAME --policy-document file://policy.json
        ```

        3. In the `policy.json` file, make sure to include the necessary permissions for the KMS actions that were previously blocked. Here is an example of a policy document that allows the `kms:Encrypt` action for a specific KMS key:

        ```json theme={null}
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": "kms:Encrypt",
                    "Resource": "arn:aws:kms:REGION:ACCOUNT_ID:key/KMS_KEY_ID"
                }
            ]
        }
        ```

        4. Save the updated policy document in a file (e.g., `policy.json`) and run the AWS CLI command to update the inline policy with the corrected permissions.

        5. Verify that the inline policy has been updated successfully by listing the policies again and checking the permissions.

        By following these steps, you can remediate the issue of blocked KMS actions in inline policies in AWS IAM using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the issue of blocked KMS actions in inline policies in AWS IAM using Python, you can follow these steps:

        1. Identify the inline policies attached to IAM users, groups, or roles that contain KMS actions that are blocked.

        2. Use the AWS SDK for Python (Boto3) to update the inline policies and allow the necessary KMS actions.

        3. Here is a sample Python script that you can use to remediate this issue:

        ```python theme={null}
        import boto3

        # Create an IAM client
        iam_client = boto3.client('iam')

        # List all IAM users, groups, and roles
        entities = ['users', 'groups', 'roles']

        for entity in entities:
            response = iam_client.list_{}_with_inline_policies()
            
            for entity_info in response['{}_with_inline_policies'.format(entity)]:
                # Get the inline policies attached to the entity
                policies = entity_info['inline_policies']
                
                for policy_name, policy_details in policies.items():
                    # Check if the policy contains blocked KMS actions
                    if 'kms' in policy_details['PolicyDocument']:
                        # Update the policy to allow necessary KMS actions
                        updated_policy = {
                            'Version': '2012-10-17',
                            'Statement': [{
                                'Effect': 'Allow',
                                'Action': [
                                    'kms:Encrypt',
                                    'kms:Decrypt',
                                    'kms:ReEncrypt*',
                                    'kms:GenerateDataKey*',
                                    'kms:DescribeKey'
                                ],
                                'Resource': '*'
                            }]
                        }
                        
                        # Update the inline policy
                        iam_client.put_user_policy(
                            UserName=entity_info['UserName'],
                            PolicyName=policy_name,
                            PolicyDocument=json.dumps(updated_policy)
                        )

        print('KMS actions in inline policies have been remediated.')
        ```

        4. Make sure to customize the script according to your specific requirements and IAM setup.

        5. Run the script in your AWS environment to update the inline policies and allow the necessary KMS actions.

        By following these steps and executing the Python script, you can remediate the issue of blocked KMS actions in inline policies in AWS IAM.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>
