Ensure that all your AWS Key Management Service keys are configured to be accessed only by trusted AWS accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).
Allowing untrustworthy cross account access to your AWS KMS master keys will enable foreign AWS accounts to gain control over who can use the keys and access the data encrypted with these keys. To prevent sensitive data leaks and data loss, grant access only to the trusted entities by implementing the appropriate IAM access policies.
To determine if there are any AWS KMS keys that allow unknown cross account access, perform the following:
To update your Amazon KMS keys permissions in order to allow cross account access only to trusted entities, perform the following: