Help Center/ Config/ User Guide/ Resource Compliance/ Built-In Policies/ Identity and Access Management/ IAM Policies Do Not Allow Blocked Actions on KMS Keys
Updated on 2024-12-10 GMT+08:00

IAM Policies Do Not Allow Blocked Actions on KMS Keys

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

iam-customer-policy-blocked-kms-actions

Identifier

iam-customer-policy-blocked-kms-actions

Description

If an IAM policy allows any blocked actions on KMS keys, this policy is noncompliant.

Tag

obs, access-analyzer-verified

Trigger Type

Configuration change

Filter Type

iam.roles, iam.policies

Configure Rule Parameters

blockedActionsPatterns: indicates blocked actions for KMS. The value must be an array.

Applicable Scenario

This rule allows you to apply the principles of least privilege and separation of duties to access control. With this rule, you can detect IAM policies that allow blocked actions on KMS keys to prevent unintended data encryption and decryption.

Solution

You can modify noncompliant IAM policies based on the evaluation results. For more details, see Modifying or Deleting a Custom Policy.

Rule Logic

  • If an IAM policy or role does not allow the specified blocked actions on KMS keys, this policy or role is compliant.
  • If an IAM policy or role allows the specified blocked actions on KMS keys, this policy or role is noncompliant.