Ensure KMS key policy does not contain wildcard (*) principal

Error: KMS key policy contains wildcard (*) principal

Bridgecrew Policy ID: BC_AWS_IAM_63
Checkov Check ID: CKV_AWS_33
Severity: HIGH

KMS key policy contains wildcard (*) principal

Description

A wildcard principal is a placeholder that allows access to all users or accounts, and can potentially expose your KMS keys to unauthorized access.

By removing wildcard principals from your key policies, you can ensure that only specific users or accounts have access to your KMS keys. This can help to improve the security of your keys and reduce the risk of unauthorized access.

Fix - Buildtime

CloudFormation

  • Resource: AWS::KMS::Key
  • Argument: Properties.Statement.Principal
Type: AWS::KMS::Key
	Properties:
		...
		Statement:
			- ...
      	Principal:
-        	"*"
-      		AWS: "*"
+					AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'