This rule ensures IAM policies do not allow blocked actions on KMS keys.
Rule | Ensure managed IAM policies should not allow blocked actions on KMS keys |
Framework | Federal Financial Institutions Examination Council (FFIEC) |
Severity | ✔ Medium |
Rule Description:
The rule ensures that managed IAM policies do not permit blocked actions on Key Management Service (KMS) keys for the Federal Financial Institutions Examination Council (FFIEC). This helps prevent unauthorized access and potential security breaches on the FFIEC's KMS keys.
Troubleshooting Steps:
Necessary Code:
The code provided here is a sample IAM policy statement that could be used to deny unauthorized actions on KMS keys for FFIEC:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyBlockedActions", "Effect": "Deny", "Action": [ "kms:CreateKey", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "arn:aws:kms:region:account-id:key/key-id", "Condition": { "StringNotLike": { "aws:PrincipalArn": "arn:aws:iam::account-id:role/FFIECRole" } } } ] }
This policy denies the listed actions (
kms:CreateKey
, kms:ScheduleKeyDeletion
, kms:CancelKeyDeletion
) on the specified KMS key key-id
for all users or roles that do not possess the specified FFIECRole
.Step by Step Guide for Remediation:
region
with the appropriate AWS region, account-id
with the AWS account ID, and key-id
with the specific KMS key ID.aws:PrincipalArn
in the Condition
to match the FFIEC role ARN or the desired role that should have allowed actions on the KMS keys.By following this guide and executing the necessary steps, you will ensure that managed IAM policies do not allow blocked actions on KMS keys for the Federal Financial Institutions Examination Council (FFIEC). This will help maintain the integrity and security of the FFIEC's sensitive data and resources.