Avoid Full KMS Access in Inline IAM Policies
Why this matters
Inline IAM policies that allow kms:*
permissions can grant users the ability to perform any operation on KMS keys, including:
Decrypting sensitive data
Deleting or disabling encryption keys
Changing key policies to escalate privileges
Because KMS controls encryption and decryption of critical resources, over-permissioned policies increase the risk of data exposure or loss. Adhering to least privilege ensures only necessary actions are permitted.
What this check does
This Auto Check inspects inline IAM policies and flags those that:
Include kms:*
in the "Action" element
Apply broadly with "Resource": "*"
Use "Effect": "Allow"
for all KMS operations
The check fails if such full-access permissions are found in inline policies attached to users, groups, or roles.
How to fix it
Review and revise inline IAM policies to eliminate blanket permissions for AWS KMS.
From the AWS Console
Open the IAM Console.
Navigate to Policies and search for any with kms:*
actions.
Identify all identities (users, groups, roles) where these policies are attached.
Detach the policy from all associated entities.
If not needed, delete the policy.
Replace with a custom policy that permits only specific KMS actions (e.g., kms:Encrypt
, kms:Decrypt
) scoped to specific resources.
Using AWS CLI
# List all entities attached to the policy
aws iam list-entities-for-policy --policy-arn <policy_arn>
# Detach from user
aws iam detach-user-policy --user-name <user_name> --policy-arn <policy_arn>
# Detach from group
aws iam detach-group-policy --group-name <group_name> --policy-arn <policy_arn>
# Detach from role
aws iam detach-role-policy --role-name <role_name> --policy-arn <policy_arn>
Exceptions
For environments requiring automated key management or cross-account encryption operations:
Ensure KMS access is scoped tightly to specific key ARNs
Avoid granting broad "kms:*"
access, even for administrative tasks
Audit usage regularly and rotate keys as per policy