> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# KMS Key Policies Should Be Designed To Limit Number Of KMS Admins

### More Info:

KMS key policies should be designed to limit the number of users who can perform encrypt and decrypt operations. Each application should use its own key to avoid over exposure.

### Risk Level

Low

### Address

Security

### Compliance Standards

CBP

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration of KMS Key Policies should be designed to limit the number of KMS Admins in AWS, follow the below steps using AWS Console:

        1. Open the AWS KMS Console.
        2. From the left navigation pane, choose "Customer managed keys".
        3. Select the KMS key for which you want to remediate the misconfiguration.
        4. In the Key policy section, choose "Edit".
        5. Update the key policy to include only the required number of IAM users or roles who need administrative access to the KMS key.
        6. Remove any unnecessary IAM users or roles from the key policy.
        7. Choose "Review policy".
        8. Review the policy changes and ensure that the policy is designed to limit the number of KMS admins.
        9. Choose "Save changes" to save the updated key policy.
        10. Verify that only the required IAM users or roles have administrative access to the KMS key.

        By following these steps, you can remediate the misconfiguration of KMS Key Policies should be designed to limit the number of KMS Admins in AWS.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate this issue for AWS, you can follow these steps using AWS CLI:

        1. Identify the KMS key ID that needs to be remediated.

        2. Create a new IAM policy that grants the required permissions for KMS key management.

        3. Attach the new IAM policy to an IAM user or role that needs to manage the KMS key.

        4. Remove the KMS key administrator permissions from the existing IAM users or roles.

        Here are the detailed steps:

        Step 1: Identify the KMS key ID that needs to be remediated

        Use the following command to list all the KMS keys in your AWS account:

        ```
        aws kms list-keys
        ```

        Identify the KMS key ID that needs to be remediated.

        Step 2: Create a new IAM policy that grants the required permissions for KMS key management

        Create a new IAM policy that grants the required permissions for KMS key management. Here's an example of a policy that allows a user to manage a specific KMS key:

        ```
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "AllowKeyManagement",
                    "Effect": "Allow",
                    "Action": [
                        "kms:Create*",
                        "kms:Describe*",
                        "kms:Enable*",
                        "kms:List*",
                        "kms:Put*",
                        "kms:Update*",
                        "kms:Revoke*",
                        "kms:Disable*",
                        "kms:Get*",
                        "kms:Delete*",
                        "kms:ScheduleKeyDeletion",
                        "kms:CancelKeyDeletion"
                    ],
                    "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
                }
            ]
        }
        ```

        Replace the KMS key ARN with the ARN of the KMS key that needs to be managed.

        Step 3: Attach the new IAM policy to an IAM user or role that needs to manage the KMS key

        Use the following command to attach the new IAM policy to an IAM user or role:

        ```
        aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn>
        ```

        Replace `<user-name>` with the name of the IAM user or role that needs to manage the KMS key, and `<policy-arn>` with the ARN of the new IAM policy.

        Step 4: Remove the KMS key administrator permissions from the existing IAM users or roles

        Use the following command to remove the KMS key administrator permissions from the existing IAM users or roles:

        ```
        aws kms revoke-grant --key-id <key-id> --grant-id <grant-id>
        ```

        Replace `<key-id>` with the ID of the KMS key, and `<grant-id>` with the ID of the grant that needs to be revoked.

        Repeat this command for each grant that needs to be revoked.

        By following these steps, you can remediate the misconfiguration of KMS key policies that should be designed to limit the number of KMS admins for AWS.
      </Accordion>

      <Accordion title="Using Python">
        To remediate this misconfiguration in AWS using Python, you can follow these steps:

        1. First, you need to identify the KMS keys that have overly permissive key policies. You can use the `boto3` library in Python to list all the KMS keys and their key policies.

        ```python theme={null}
        import boto3

        # Create a KMS client
        kms = boto3.client('kms')

        # List all the KMS keys
        response = kms.list_keys()

        # Loop through each key and print its key policy
        for key in response['Keys']:
            key_id = key['KeyId']
            key_policy = kms.get_key_policy(KeyId=key_id, PolicyName='default')['Policy']
            print(f"Key ID: {key_id} \nKey Policy: {key_policy}")
        ```

        2. Once you have identified the KMS keys with overly permissive key policies, you need to update their policies to limit the number of KMS admins. You can use the `put_key_policy` method to update the key policy.

        ```python theme={null}
        import json

        # Define the new key policy
        new_policy = {
            "Version": "2012-10-17",
            "Id": "key-policy-1",
            "Statement": [
                {
                    "Sid": "Enable IAM User Permissions",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": [
                            "arn:aws:iam::123456789012:user/Admin1",
                            "arn:aws:iam::123456789012:user/Admin2"
                        ]
                    },
                    "Action": [
                        "kms:*"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "Allow use of the key",
                    "Effect": "Allow",
                    "Principal": "*",
                    "Action": [
                        "kms:Encrypt",
                        "kms:Decrypt",
                        "kms:ReEncrypt*",
                        "kms:GenerateDataKey*",
                        "kms:DescribeKey"
                    ],
                    "Resource": "*"
                }
            ]
        }

        # Update the key policy for a specific KMS key
        response = kms.put_key_policy(
            KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
            PolicyName='default',
            Policy=json.dumps(new_policy)
        )
        ```

        In the above code, you need to replace the `KeyId` with the ID of the KMS key that you want to update, and replace the `AWS` ARNs with the ARNs of the IAM users who should have KMS admin permissions.

        3. Repeat step 2 for all the KMS keys with overly permissive key policies.

        By following these steps, you can remediate the misconfiguration of KMS key policies being designed to limit the number of KMS admins in AWS using Python.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)
