Control: AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM customer managed policy

Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.

Resource Types

This control targets the following resource types:

AWS > IAM > Policy

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-hipaa#/control/types/kmsKeyDecryptionRestrictedInIamCustomerManagedPolicy

Category URI

tmod:@turbot/turbot#/control/categories/complianceHipaa

GraphQL

query controlType(id: "tmod:@turbot/aws-hipaa#/control/types/kmsKeyDecryptionRestrictedInIamCustomerManagedPolicy") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-hipaa#/control/types/kmsKeyDecryptionRestrictedInIamCustomerManagedPolicy'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-hipaa#/control/types/kmsKeyDecryptionRestrictedInIamCustomerManagedPolicy"