Ensure Inline Policies Attached Rule for IAM Users
This rule ensures that inline policies for IAM users do not allow blocked actions on KMS keys.
| Rule | Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description:
This rule is in place to ensure that any inline policies attached to IAM users, roles, and groups do not allow blocked actions on KMS (Key Management Service) keys for CISA Cyber Essentials compliance. It is important to prevent unauthorized access or misuse of KMS keys, which are used for encryption and decryption of sensitive data within an AWS environment.
Troubleshooting Steps:
If any violations are found related to this rule, follow the troubleshooting steps listed below:
- 1.Identify the IAM user, role, or group attached to the inline policy that is violating this rule.
- 2.Review the specific actions being allowed or denied in the policy.
- 3.Cross-check the allowed or denied actions against the list of blocked actions on KMS keys for CISA Cyber Essentials compliance.
- 4.Determine the impact of the allowed or denied actions on the security and compliance of KMS key usage.
Necessary Code:
If you find any inline policies violating this rule, you need to modify the policy to remove the blocked actions on KMS keys. Here's a sample code snippet to show how the policy should be adjusted:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" ] } }
In the above example, the policy allows the "Encrypt" and "Decrypt" actions on a specific KMS key (identified by its ARN). Make sure to adjust the "Resource" section according to your specific KMS key.
Step-by-step Guide for Remediation:
Follow the step-by-step guide below to remediate any violations related to this rule:
- 1.Identify the IAM user, role, or group with the inline policy allowing blocked actions on KMS keys.
- 2.Open the AWS Management Console and navigate to the IAM service.
- 3.Locate the user, role, or group and click on it to view its details.
- 4.In the "Permissions" tab, click on the policy that needs to be modified.
- 5.Review the policy document and identify the blocked actions on KMS keys.
- 6.Click on the "Edit policy" button to modify the policy.
- 7.Remove any blocked actions related to KMS keys from the policy document.
- 8.Click "Review policy" to ensure the modifications are correct.
- 9.Finally, click "Save changes" to update the modified policy.
After following these steps, the inline policy attached to the IAM user, role, or group will no longer allow blocked actions on KMS keys, ensuring compliance with CISA Cyber Essentials. Repeat this process for any additional violations found related to this rule.
Note: It's important to thoroughly review the policy changes and consider the impact on your specific use case before implementing them.