Control: AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM inline policy

Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys in an inline policy.

Resource Types

This control targets the following resource types:

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-hipaa#/control/types/kmsKeyDecryptionRestrictedInIamInlinePolicy

Category URI

tmod:@turbot/turbot#/control/categories/complianceHipaa

GraphQL

query controlType(id: "tmod:@turbot/aws-hipaa#/control/types/kmsKeyDecryptionRestrictedInIamInlinePolicy") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-hipaa#/control/types/kmsKeyDecryptionRestrictedInIamInlinePolicy'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-hipaa#/control/types/kmsKeyDecryptionRestrictedInIamInlinePolicy"