Avoid Full KMS Access in Inline IAM Policies
Last updated: April 9, 2026
Framework Reference: A.8.2 (Information Access Restrictions) Integration: AWS – IAM / KMS
Why this matters
Inline IAM policies that allow kms:* permissions can grant users the ability to perform any operation on KMS keys, including:
Decrypting sensitive data
Deleting or disabling encryption keys
Changing key policies to escalate privileges
Because KMS controls encryption and decryption of critical resources, over-permissioned policies increase the risk of data exposure or loss. Adhering to least privilege ensures only necessary actions are permitted.
What this check does
This Auto Check inspects inline IAM policies and flags those that:
Include kms:* in the "Action" element
Apply broadly with "Resource": "*"
Use "Effect": "Allow" for all KMS operations
The check fails if such full-access permissions are found in inline policies attached to users, groups, or roles.
How to fix it
Review and revise inline IAM policies to eliminate blanket permissions for AWS KMS.
From the AWS Console
Open the IAM Console.
Navigate to Policies and search for any with kms:* actions.
Identify all identities (users, groups, roles) where these policies are attached.
Detach the policy from all associated entities.
If not needed, delete the policy.
Replace with a custom policy that permits only specific KMS actions (e.g., kms:Encrypt, kms:Decrypt) scoped to specific resources.
Using AWS CLI
# List all entities attached to the policy aws iam list-entities-for-policy --policy-arn <policy_arn> # Detach from user aws iam detach-user-policy --user-name <user_name> --policy-arn <policy_arn> # Detach from group aws iam detach-group-policy --group-name <group_name> --policy-arn <policy_arn> # Detach from role aws iam detach-role-policy --role-name <role_name> --policy-arn <policy_arn>
Exceptions
For environments requiring automated key management or cross-account encryption operations:
Ensure KMS access is scoped tightly to specific key ARNs
Avoid granting broad "kms:*" access, even for administrative tasks
Audit usage regularly and rotate keys as per policy