This rule ensures proper restriction of KMS key decryption in IAM customer managed policy.
Rule | KMS key decryption should be restricted in IAM customer managed policy |
Framework | HIPAA |
Severity | ✔ Medium |
KMS Key Decryption Restriction in IAM Customer Managed Policy for HIPAA
Description
In order to maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA), it is important to restrict the decryption of AWS Key Management Service (KMS) keys. By implementing proper access controls in the IAM (Identity and Access Management) customer managed policy, you can ensure that only authorized entities have the necessary permissions to decrypt KMS keys containing sensitive data.
Troubleshooting Steps
If users or roles are unable to decrypt KMS keys when they should have the necessary permissions, follow these troubleshooting steps:
kms:Decrypt
permission in their IAM policy. Ensure that the policy is correctly attached and uses the correct KMS key resource.Principal
section of the policy with the necessary decryption permissions.Necessary Codes
If you need to update an IAM customer managed policy to restrict KMS key decryption for HIPAA compliance, refer to the code snippets below:
Example 1: Restricting KMS key decryption for a specific role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictKMSDecryption",
"Effect": "Deny",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id",
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/allowed-role-1",
"arn:aws:iam::123456789012:role/allowed-role-2"
]
}
}
}
]
}
In this example, the IAM policy denies the
kms:Decrypt
action on the specified KMS key (arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id
) for all entities except for the allowed roles (allowed-role-1
and allowed-role-2
).Example 2: Restricting KMS key decryption for a specific user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictKMSDecryption",
"Effect": "Deny",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id",
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:user/allowed-user"
}
}
}
]
}
In this example, the IAM policy denies the
kms:Decrypt
action on the specified KMS key (arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id
) for all entities except for the allowed user (allowed-user
).Remediation Steps
To remediate the issue and implement the KMS key decryption restriction policy for HIPAA compliance, follow these step-by-step guides:
kms:Decrypt
action.StringNotLike
condition with the ARN(s) of the allowed IAM roles or users.By following these steps, you can restrict KMS key decryption according to HIPAA compliance guidelines, ensuring that only authorized entities can access sensitive data.