Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure managed IAM policies should not allow blocked actions on KMS keys

This rule ensures IAM policies do not allow blocked actions on KMS keys.

RuleEnsure managed IAM policies should not allow blocked actions on KMS keys
FrameworkFederal Financial Institutions Examination Council (FFIEC)
Severity
Medium

Rule Description:

The rule ensures that managed IAM policies do not permit blocked actions on Key Management Service (KMS) keys for the Federal Financial Institutions Examination Council (FFIEC). This helps prevent unauthorized access and potential security breaches on the FFIEC's KMS keys.

Troubleshooting Steps:

  1. 1.
    Identify the IAM policy associated with the KMS keys.
  2. 2.
    Review the policy for any blocked actions on KMS keys.
  3. 3.
    Determine if any unauthorized or prohibited actions are present.
  4. 4.
    Investigate the permissions granted in the policy and compare them against the FFIEC guidelines.
  5. 5.
    Verify if any recent changes were made to the policy that may have introduced the blocked actions.
  6. 6.
    Check for any other IAM policies that could override or conflict with the desired FFIEC policy.

Necessary Code:

The code provided here is a sample IAM policy statement that could be used to deny unauthorized actions on KMS keys for FFIEC:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyBlockedActions",
            "Effect": "Deny",
            "Action": [
                "kms:CreateKey",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "arn:aws:kms:region:account-id:key/key-id",
            "Condition": {
                "StringNotLike": {
                    "aws:PrincipalArn": "arn:aws:iam::account-id:role/FFIECRole"
                }
            }
        }
    ]
}

This policy denies the listed actions (

kms:CreateKey
,
kms:ScheduleKeyDeletion
,
kms:CancelKeyDeletion
) on the specified KMS key
key-id
for all users or roles that do not possess the specified
FFIECRole
.

Step by Step Guide for Remediation:

  1. 1.
    Identify the KMS keys associated with the FFIEC.
  2. 2.
    Review the existing IAM policies associated with these KMS keys.
  3. 3.
    Determine if any blocked actions on KMS keys are present in the policies.
  4. 4.
    Make sure you have the necessary permissions to modify IAM policies.
  5. 5.
    Open the IAM Management Console or use the AWS Command Line Interface (CLI) to access the IAM policies.
  6. 6.
    Locate the IAM policy that needs to be modified to comply with the FFIEC guidelines.
  7. 7.
    Update the policy using the necessary code provided in this documentation.
  8. 8.
    Replace
    region
    with the appropriate AWS region,
    account-id
    with the AWS account ID, and
    key-id
    with the specific KMS key ID.
  9. 9.
    Modify the
    aws:PrincipalArn
    in the
    Condition
    to match the FFIEC role ARN or the desired role that should have allowed actions on the KMS keys.
  10. 10.
    Save the updated IAM policy.
  11. 11.
    Test the changes by attempting to perform blocked actions on the KMS keys using a user or role that should be denied access.
  12. 12.
    Verify that the blocked actions are now denied for unauthorized users or roles.
  13. 13.
    Repeat these steps for any additional IAM policies associated with the FFIEC's KMS keys.

By following this guide and executing the necessary steps, you will ensure that managed IAM policies do not allow blocked actions on KMS keys for the Federal Financial Institutions Examination Council (FFIEC). This will help maintain the integrity and security of the FFIEC's sensitive data and resources.

Is your System Free of Underlying Vulnerabilities?
Find Out Now