Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(iam): add new check iam_policy_no_kms_decryption_actions #5619

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat(iam): add new check iam_policy_no_kms_decryption_actions #5619

wants to merge 4 commits into from
+431 −10

Conversation

HugoPBrito
Copy link
Member

Context

AWS Key Management Service (KMS) helps manage encryption keys to secure data across AWS. To protect sensitive data, IAM customer managed policies should avoid granting broad decryption permissions on all KMS keys, adhering to the principle of least privilege. This principle emphasizes granting users, roles, or groups only the specific permissions necessary to perform their tasks, minimizing the risk of unauthorized data access.

Description

This check assesses IAM customer managed policies to ensure they don’t allow kms:Decrypt or kms:ReEncryptFrom permissions across all KMS keys. If a policy is configured to allow these actions on all resources (indicated by a wildcard or similar pattern in the Resource element), the check fails. Broad permissions could expose encrypted data unnecessarily and elevate the risk of data misuse.

Checklist

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@HugoPBrito HugoPBrito requested review from a team as code owners November 4, 2024 10:56
@github-actions github-actions bot added the provider/aws Issues/PRs related with the AWS provider label Nov 4, 2024
@codecov Codecov
Copy link

codecov bot commented Nov 4, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.78%. Comparing base (17dd9de) to head (2681acf).
Report is 3 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #5619   +/-   ##
=======================================
  Coverage   89.77%   89.78%           
=======================================
  Files        1104     1105    +1     
  Lines       34262    34285   +23     
=======================================
+ Hits        30760    30783   +23     
  Misses       3502     3502

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
provider/aws Issues/PRs related with the AWS provider
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@HugoPBrito