Skip to main content

More Info:

This rule checks if the inline policies attached to your IAM roles do not allow blocked actions on all AWS Key Management Service (KMS) keys. The rule is NON_COMPLIANT if any blocked action is allowed on all AWS KMS keys in an inline policy.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

  • Prevention
  • Cause
  • Remediation

How to Prevent

Using Console

To prevent blocked KMS actions in inline policies in IAM using the AWS Management Console, follow these steps:
  1. Navigate to IAM Policies:
    • Open the AWS Management Console.
    • In the navigation pane, choose “Policies” under the “Access management” section.
  2. Create or Edit a Policy:
    • To create a new policy, click on the “Create policy” button.
    • To edit an existing policy, find the policy you want to modify and click on its name, then click the “Edit policy” button.
  3. Specify KMS Actions:
    • In the policy editor, switch to the “JSON” tab.
    • Ensure that the policy explicitly specifies the allowed KMS actions. For example: 
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*"
    }
  ]
}
  4. Review and Save:
    • After specifying the allowed KMS actions, click on the “Review policy” button.
    • Provide a name and description for the policy if creating a new one.
    • Click on the “Create policy” or “Save changes” button to apply the policy.
By following these steps, you ensure that the inline policies in IAM explicitly allow the necessary KMS actions, preventing any misconfigurations related to blocked KMS actions.
To prevent blocked KMS actions in inline policies in IAM using AWS CLI, you can follow these steps:
  1. Create a JSON Policy Document:
    • First, create a JSON file that defines the inline policy with the necessary permissions and explicitly denies the blocked KMS actions.
    • Example JSON policy (policy.json): 
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "kms:DisableKey",
        "kms:ScheduleKeyDeletion"
      ],
      "Resource": "*"
    }
  ]
}
  2. Attach the Inline Policy to an IAM User:
    • Use the put-user-policy command to attach the inline policy to a specific IAM user.
    • Command: 
      aws iam put-user-policy --user-name <username> --policy-name <policy-name> --policy-document file://policy.json
  3. Attach the Inline Policy to an IAM Group:
    • Use the put-group-policy command to attach the inline policy to a specific IAM group.
    • Command: 
      aws iam put-group-policy --group-name <groupname> --policy-name <policy-name> --policy-document file://policy.json
  4. Attach the Inline Policy to an IAM Role:
    • Use the put-role-policy command to attach the inline policy to a specific IAM role.
    • Command: 
      aws iam put-role-policy --role-name <rolename> --policy-name <policy-name> --policy-document file://policy.json
By following these steps, you can ensure that the necessary KMS actions are allowed while explicitly denying the blocked KMS actions in inline policies using AWS CLI.
To prevent blocked KMS actions in inline policies in IAM using Python scripts, you can use the AWS SDK for Python (Boto3). Here are the steps to achieve this:

Step 1: Install Boto3

Ensure you have Boto3 installed in your Python environment. You can install it using pip if you haven’t already:
pip install boto3

Step 2: Initialize Boto3 Client

Initialize the Boto3 client for IAM:
import boto3

iam_client = boto3.client('iam')

Step 3: Define the Inline Policy

Create a JSON structure for the inline policy that blocks specific KMS actions. For example, you can block the kms:Decrypt action:
inline_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
    ]
}

Step 4: Attach the Inline Policy to an IAM User or Role

Attach the inline policy to a specific IAM user or role. Here’s an example of attaching it to a user:
user_name = 'your-iam-user-name'
policy_name = 'BlockKMSActionsPolicy'

response = iam_client.put_user_policy(
    UserName=user_name,
    PolicyName=policy_name,
    PolicyDocument=json.dumps(inline_policy)
)

print(f"Policy {policy_name} attached to user {user_name}")

Full Script Example

Here is the complete script combining all the steps:
import boto3
import json

# Initialize Boto3 client
iam_client = boto3.client('iam')

# Define the inline policy
inline_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
    ]
}

# Attach the inline policy to an IAM user
user_name = 'your-iam-user-name'
policy_name = 'BlockKMSActionsPolicy'

response = iam_client.put_user_policy(
    UserName=user_name,
    PolicyName=policy_name,
    PolicyDocument=json.dumps(inline_policy)
)

print(f"Policy {policy_name} attached to user {user_name}")

Summary

  1. Install Boto3: Ensure Boto3 is installed in your Python environment.
  2. Initialize Boto3 Client: Set up the IAM client using Boto3.
  3. Define the Inline Policy: Create a JSON structure for the inline policy to block specific KMS actions.
  4. Attach the Inline Policy: Use the put_user_policy method to attach the policy to an IAM user.
By following these steps, you can prevent blocked KMS actions in inline policies using Python scripts.
I