Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure managed IAM policies should not allow blocked actions on KMS keys

This rule ensures that IAM policies do not permit blocked actions on KMS keys for better security.

RuleEnsure managed IAM policies should not allow blocked actions on KMS keys
FrameworkGxP 21 CFR Part 11
Severity
Medium

Rule Description:

This rule ensures that managed IAM policies do not allow blocked actions on Key Management Service (KMS) keys to comply with the requirements of GxP 21 CFR Part 11. GxP (Good Practice) guidelines are regulatory standards followed in industries such as pharmaceutical, biotechnology, and medical device manufacturing to ensure data integrity, security, and compliance with regulations.

KMS is a service provided by AWS (Amazon Web Services) that helps customers encrypt and protect their data. By enforcing this rule, it prevents any unauthorized or potentially harmful actions on KMS keys that may violate the GxP 21 CFR Part 11 requirements.

Troubleshooting Steps:

If there are any instances of managed IAM policies allowing blocked actions on KMS keys for GxP 21 CFR Part 11, follow these troubleshooting steps:

  2. 1.
    Identify the affected IAM policy: First, identify the specific IAM policy that allows blocked actions on KMS keys for GxP 21 CFR Part 11.
  4. 2.
    Verify the policy permissions: Review the policy and ensure that it does not include any blocked actions on KMS keys. Blocked actions may include key deletion, granting unauthorized access, or modifying key policies in a non-compliant manner.
  6. 3.
    Validate the GxP 21 CFR Part 11 requirements: Confirm that the policy aligns with the relevant requirements of GxP 21 CFR Part 11. This ensures that the policy does not violate any data integrity or security standards.
  8. 4.
    Update the IAM policy: Make the necessary changes to the IAM policy to remove any blocked actions on KMS keys that are non-compliant with GxP 21 CFR Part 11.
  10. 5.
    Test the revised policy: Test the updated IAM policy to validate that it no longer allows blocked actions on KMS keys. Ensure that the policy still allows the necessary actions required for legitimate operations.

Code:

If you need to modify the existing IAM policy to remove blocked actions on KMS keys, use the AWS CLI (Command Line Interface) or AWS Management Console to make the changes. Here's an example of how you can update an IAM policy using the AWS CLI:

aws iam update-policy --policy-arn arn-of-the-policy --policy-document file://updated-policy.json

In this example, replace 

arn-of-the-policy
with the ARN (Amazon Resource Name) of the policy that needs to be updated. The 
updated-policy.json
file should contain the revised IAM policy without any blocked actions on KMS keys.

Remediation Steps:

Follow these step-by-step instructions to remediate the issue of managed IAM policies allowing blocked actions on KMS keys for GxP 21 CFR Part 11:

  2. 1.

    Identify the affected IAM policy: Determine the IAM policy that needs to be remediated, which allows blocked actions on KMS keys.

  4. 2.

    Understand GxP 21 CFR Part 11 requirements: Familiarize yourself with the specific requirements outlined in GxP 21 CFR Part 11 regarding KMS key management.

  6. 3.

    Review the existing IAM policy: Examine the current IAM policy's permissions and identify any actions that are blocked on KMS keys and do not comply with GxP 21 CFR Part 11.

  8. 4.

    Update the IAM policy document: Remove the blocked actions from the IAM policy document. Ensure that the updated policy aligns with GxP 21 CFR Part 11 requirements and does not compromise data integrity or security.

  10. 5.

    Apply the changes using the AWS Management Console: Access the AWS Management Console and navigate to the IAM service. Locate and open the affected IAM policy.

    • Modify the policy document by removing the blocked actions on KMS keys.
    • Save the policy by clicking on the update button to apply the changes.

    or

    Apply the changes using the AWS CLI:

    • Install and configure the AWS CLI on your local machine if not already set up.
    • Open the command-line interface and execute the following command:
    aws iam update-policy --policy-arn arn-of-the-policy --policy-document file://updated-policy.json

    Replace 

    arn-of-the-policy
    with the ARN of the policy to be updated and 
    updated-policy.json
    with the path to the updated policy document JSON file.

  12. 6.

    Test the updated IAM policy: Validate that the revised IAM policy no longer allows blocked actions on KMS keys while still permitting necessary operations.

  14. 7.

    Monitor for compliance: Regularly review the IAM policies and ensure continuous compliance with GxP 21 CFR Part 11 regulations by periodically auditing and updating policies as needed.

By following these steps, you can remediate the issue of managed IAM policies allowing blocked actions on KMS keys for GxP 21 CFR Part 11, ensuring compliance and data security within your organization.

Is your System Free of Underlying Vulnerabilities?
Find Out Now