Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: KMS Key Decryption Should be Restricted in IAM Inline Policy

This rule ensures that KMS key decryption is limited within IAM inline policy for improved security measures.

RuleKMS key decryption should be restricted in IAM inline policy
FrameworkHIPAA
Severity
Medium

Rule Description

The rule mandates restricting KMS key decryption permissions in the IAM inline policy to ensure compliance with HIPAA regulations. This limitation enhances data security and helps safeguard sensitive information stored in AWS Key Management Service (KMS).

Troubleshooting Steps

If you encounter issues regarding KMS key decryption or permission restrictions, follow the troubleshooting steps below:

  1. 1.

    Verify IAM Policy: Check the IAM inline policy associated with the relevant user or role. Ensure that the policy specifically grants permission only for necessary KMS keys and restricts decryption access for other keys.

  2. 2.

    Verify KMS Key Permissions: Confirm the permissions assigned to the KMS keys. Ensure that only authorized users or roles have the required permissions for key decryption.

  3. 3.

    Check IAM User/Role Association: Verify the association between the user or role and the IAM inline policy. Make sure that the correct policy is attached to the respective user or role.

Necessary Codes

If you need to modify or create an IAM inline policy for restricting KMS key decryption, use the following code:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
    ]
}

The code snippet above denies the "kms:Decrypt" action for all resources.

Remediation Guide

To enforce the restriction on KMS key decryption permissions through IAM inline policy, follow the step-by-step guide below:

  1. 1.

    Open the AWS Management Console and navigate to the IAM service.

  2. 2.

    Locate the relevant user or role for which you want to restrict KMS key decryption permissions.

  3. 3.

    Select the user or role and click on the "Add inline policy" button under the "Permissions" tab.

  4. 4.

    Choose the "JSON" tab in the policy editor and paste the necessary code mentioned above into the editor.

  5. 5.

    Click on the "Review policy" button to proceed.

  6. 6.

    Provide a suitable name for the policy and optionally add a description to identify its purpose.

  7. 7.

    Review the policy details and click on the "Create policy" button to finalize the creation of the IAM inline policy.

  8. 8.

    Verify that the policy is properly attached to the desired user or role.

By following these steps, the IAM inline policy will effectively restrict KMS key decryption permissions, ensuring compliance with HIPAA regulations.

Is your System Free of Underlying Vulnerabilities?
Find Out Now