Identify any publicly accessible AWS Key Management Service master keys and update their access policy in order to stop any unsigned requests made to these resources.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing anonymous access to your AWS KMS keys is considered bad practice and can lead to sensitive data leakage. One common scenario is when an AWS user grants permissions to everyone for using the KMS key but forgets adding the Condition clauses to the key policy in order to filter the access to certain accounts.
To determine if your AWS KMS master keys are opened to the world, perform the following:
To block anonymous access to your Amazon KMS master keys, perform the following: