Avoid IAM Policies Granting Unrestricted KMS Access

Framework Reference: A.8.2 (Information Access Restrictions) Integration: AWS โ€“ IAM / KMS

Why this matters

AWS Key Management Service (KMS) manages encryption keys used to secure data across AWS services. IAM policies that permit full KMS access (e.g., kms:*) can:

Allow decryption of sensitive data

Enable unauthorized key deletion or modification

Undermine data confidentiality and audit integrity

To protect key materials and encrypted resources, access should be limited to specific actions and scoped to necessary use cases.


What this check does

This Auto Check reviews IAM policies in your AWS account and identifies:

Policies that include wildcard permissions like kms:*

Permissions for sensitive KMS operations such as kms:Decrypt, kms:ScheduleKeyDeletion, or kms:DisableKey without proper conditions

Policies attached to users, roles, or groups with broad, unrestricted access

The check fails if any such over-permissive policies are detected.


How to fix it

Refactor IAM policies to align with least privilege and minimize KMS exposure.

From the AWS Console

Open the IAM Console.

Navigate to Policies and search for any with kms:* permissions.

Identify entities the policy is attached to (users, roles, groups).

Detach the policy from all attached entities.

Delete the policy if it is not essential.

Create scoped policies that include only necessary actions, such as:

kms:Encrypt

kms:GenerateDataKey

kms:DescribeKey

Avoid sensitive actions unless explicitly needed (e.g., kms:DeleteAlias, kms:DisableKey)

Using AWS CLI

# List policy attachments aws iam list-entities-for-policy --policy-arn <policy_arn> # Detach from user aws iam detach-user-policy --user-name <user_name> --policy-arn <policy_arn> # Detach from group aws iam detach-group-policy --group-name <group_name> --policy-arn <policy_arn> # Detach from role aws iam detach-role-policy --role-name <role_name> --policy-arn <policy_arn>


Exceptions

For operational roles that require broader KMS permissions:

Use resource-level restrictions (e.g., Resource: specific key ARN)

Apply conditional access based on request context (e.g., IP range, MFA status)

Consider separating encryption roles from key management roles


Further Resources

IAM Best Practices

KMS Permissions Reference

Managed vs Inline Policies

AWS CLI IAM Documentation

Was this article helpful?