Policy: AWS > KMS > Key > Policy Statements > Approved

Configure policy statements for KMS keys. This control defines whether to verify if the key policy statements are approved, as well as the subsequent action to take on unapproved statements.

If set to Enforce: Delete unapproved, any unapproved statements will be revoked from the key's policy.

Please note that if the policy is set to Enforce: Delete unapproved and the new key policy does not contain statements that allow the Guardrails role to continue to manage the key's policy, this control will fail to apply the new policy due to a best practice from AWS that prevents key administrators from removing their own access.

Resource Types

This policy targets the following resource types:

AWS > KMS > Key

Primary Policy

This policy is used with the following primary policy:

AWS > KMS > Key > Policy Statements

Rules

Controls

Policy Packs

This policy setting is used by the following policy packs:

Enforce AWS KMS Keys Allow Only Approved Action Permissions

Policy Specification

Schema Type	`string`
Default	`Skip`
Valid Values [YAML]	`Skip` `Check: Approved` `Enforce: Delete unapproved`
Examples [YAML]	`Skip`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/turbot#/control/categories/resourceApproved

Policy Type URI

tmod:@turbot/aws-kms#/policy/types/keyPolicyStatementsApproved

GraphQL

query policyType(id: "tmod:@turbot/aws-kms#/policy/types/keyPolicyStatementsApproved") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-kms#/policy/types/keyPolicyStatementsApproved'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-kms#/policy/types/keyPolicyStatementsApproved'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws-kms#/policy/types/keyPolicyStatementsApproved"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-kms#/policy/types/keyPolicyStatementsApproved"