IAM Policies Do Not Allow Blocked Actions on KMS Keys
Rule Details
|
Parameter |
Description |
|---|---|
|
Rule Name |
iam-customer-policy-blocked-kms-actions |
|
Identifier |
iam-customer-policy-blocked-kms-actions |
|
Description |
If an IAM policy allows any blocked actions on KMS keys, this policy is noncompliant. |
|
Tag |
obs, access-analyzer-verified |
|
Trigger Type |
Configuration change |
|
Filter Type |
iam.roles, iam.policies |
|
Configure Rule Parameters |
blockedActionsPatterns: indicates blocked actions for KMS. The value must be an array. |
Applicable Scenario
This rule allows you to apply the principles of least privilege and separation of duties to access control. With this rule, you can detect IAM policies that allow blocked actions on KMS keys to prevent unintended data encryption and decryption.
Solution
You can modify noncompliant IAM policies based on the evaluation results. For details, see Modifying or Deleting a Custom Policy.
Rule Logic
- If an IAM policy or role does not allow the specified blocked actions on KMS keys, this policy or role is compliant.
- If an IAM policy or role allows the specified blocked actions on KMS keys, this policy or role is noncompliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
