AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Blocked KMS Actions In Inline Policies Should Be Set
More Info:
This rule checks if the inline policies attached to your IAM roles do not allow blocked actions on all AWS Key Management Service (KMS) keys. The rule is NON_COMPLIANT if any blocked action is allowed on all AWS KMS keys in an inline policy.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
How to Prevent
To prevent blocked KMS actions in inline policies in IAM using the AWS Management Console, follow these steps:
-
Navigate to IAM Policies:
- Open the AWS Management Console.
- In the navigation pane, choose “Policies” under the “Access management” section.
-
Create or Edit a Policy:
- To create a new policy, click on the “Create policy” button.
- To edit an existing policy, find the policy you want to modify and click on its name, then click the “Edit policy” button.
-
Specify KMS Actions:
- In the policy editor, switch to the “JSON” tab.
- Ensure that the policy explicitly specifies the allowed KMS actions. For example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" } ] }
-
Review and Save:
- After specifying the allowed KMS actions, click on the “Review policy” button.
- Provide a name and description for the policy if creating a new one.
- Click on the “Create policy” or “Save changes” button to apply the policy.
By following these steps, you ensure that the inline policies in IAM explicitly allow the necessary KMS actions, preventing any misconfigurations related to blocked KMS actions.
To prevent blocked KMS actions in inline policies in IAM using AWS CLI, you can follow these steps:
-
Create a JSON Policy Document:
- First, create a JSON file that defines the inline policy with the necessary permissions and explicitly denies the blocked KMS actions.
- Example JSON policy (
policy.json):{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "kms:DisableKey", "kms:ScheduleKeyDeletion" ], "Resource": "*" } ] }
-
Attach the Inline Policy to an IAM User:
- Use the
put-user-policycommand to attach the inline policy to a specific IAM user. - Command:
aws iam put-user-policy --user-name <username> --policy-name <policy-name> --policy-document file://policy.json
- Use the
-
Attach the Inline Policy to an IAM Group:
- Use the
put-group-policycommand to attach the inline policy to a specific IAM group. - Command:
aws iam put-group-policy --group-name <groupname> --policy-name <policy-name> --policy-document file://policy.json
- Use the
-
Attach the Inline Policy to an IAM Role:
- Use the
put-role-policycommand to attach the inline policy to a specific IAM role. - Command:
aws iam put-role-policy --role-name <rolename> --policy-name <policy-name> --policy-document file://policy.json
- Use the
By following these steps, you can ensure that the necessary KMS actions are allowed while explicitly denying the blocked KMS actions in inline policies using AWS CLI.
To prevent blocked KMS actions in inline policies in IAM using Python scripts, you can use the AWS SDK for Python (Boto3). Here are the steps to achieve this:
Step 1: Install Boto3
Ensure you have Boto3 installed in your Python environment. You can install it using pip if you haven’t already:
pip install boto3
Step 2: Initialize Boto3 Client
Initialize the Boto3 client for IAM:
import boto3
iam_client = boto3.client('iam')
Step 3: Define the Inline Policy
Create a JSON structure for the inline policy that blocks specific KMS actions. For example, you can block the kms:Decrypt action:
inline_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"kms:Decrypt"
],
"Resource": "*"
}
]
}
Step 4: Attach the Inline Policy to an IAM User or Role
Attach the inline policy to a specific IAM user or role. Here’s an example of attaching it to a user:
user_name = 'your-iam-user-name'
policy_name = 'BlockKMSActionsPolicy'
response = iam_client.put_user_policy(
UserName=user_name,
PolicyName=policy_name,
PolicyDocument=json.dumps(inline_policy)
)
print(f"Policy {policy_name} attached to user {user_name}")
Full Script Example
Here is the complete script combining all the steps:
import boto3
import json
# Initialize Boto3 client
iam_client = boto3.client('iam')
# Define the inline policy
inline_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"kms:Decrypt"
],
"Resource": "*"
}
]
}
# Attach the inline policy to an IAM user
user_name = 'your-iam-user-name'
policy_name = 'BlockKMSActionsPolicy'
response = iam_client.put_user_policy(
UserName=user_name,
PolicyName=policy_name,
PolicyDocument=json.dumps(inline_policy)
)
print(f"Policy {policy_name} attached to user {user_name}")
Summary
- Install Boto3: Ensure Boto3 is installed in your Python environment.
- Initialize Boto3 Client: Set up the IAM client using Boto3.
- Define the Inline Policy: Create a JSON structure for the inline policy to block specific KMS actions.
- Attach the Inline Policy: Use the
put_user_policymethod to attach the policy to an IAM user.
By following these steps, you can prevent blocked KMS actions in inline policies using Python scripts.