Cloud Security Index
aws

high

Compliance Frameworks

BETA
NIST 800-53 Rev 5
SC-12, SC-28, AC-3
CIS AWS Foundations Benchmark v3.0
3.7
ISO 27001:2022
A.8.24
PCI DSS v4.0
3.7.1
HIPAA
164.312(a)(2)(iv)
SOC 2
CC6.1

// Beta Mapping Disclaimer

Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.

Overview

Enforce hardened KMS key policies in the Log Archive and Audit accounts to enforce separation of duties, restrict key usage to authorized AWS services via condition keys, and prevent privilege escalation through key policy overwrites or unrestricted grant creation.

Customer Managed Keys (CMKs) in the Log Archive and Audit accounts encrypt the most sensitive data in the landing zone: CloudTrail logs, Config history, Security Hub findings, and AWS Backup recovery points. A weak key policy undermines all other controls; three failure modes are most common:

  • Violation of Separation of Duties: Key administrators are granted kms:Decrypt or kms:Encrypt.
  • Policy Overwrite Risk: kms:PutKeyPolicy is left unrestricted, allowing admins to grant themselves decryption rights.
  • Unconstrained Grants: kms:CreateGrant is not restricted by kms:GrantIsForAWSResource, allowing arbitrary access for third-party principals.

This control defines the minimum key policy structure, mandates annual rotation, and uses kms:ViaService to restrict decryption to authorized service endpoints.

KMS key policies are the last line of defense for encrypted data. IAM policies cannot grant access to a KMS key that the key policy does not allow - but the inverse is not true. A permissive key policy can grant access regardless of IAM boundaries. In the Log Archive and Audit accounts, where keys protect immutable audit records and security findings, a misconfigured key policy can silently nullify the confidentiality guarantees of every upstream encryption control in the landing zone.

Remediation Strategy

Apply hardened key policies, enable annual rotation, and restrict decryption to authorized service endpoints.

1.

Apply the hardened policy to all CMKs in Log Archive and Audit accounts.

2.

Enable automatic key rotation for all symmetric CMKs.

3.

Audit and revoke unconstrained grants using kms:GrantIsForAWSResource.

# 1. Apply Policy
aws kms put-key-policy --key-id <ID> --policy-name default --policy file://policy.json

# 2. Enable Rotation
aws kms enable-key-rotation --key-id <ID>

# 3. Revoke Grants
aws kms list-grants --key-id <ID>
aws kms revoke-grant --key-id <ID> --grant-id <GRANT_ID>

Enforcement Logic

Automatedaws-api

Audit CMK rotation status, policy content for missing 'Deny' statements, and CloudTrail for unexpected Decrypt calls.

# Check Rotation
aws kms get-key-rotation-status --key-id <ID>

# Check Policy for Deny
aws kms get-key-policy --key-id <ID> --policy-name default

# Monitor Decrypt Events (Last 24h)
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=Decrypt

# Track structural volume changes for both reads and writes over the last 24h
for event in Encrypt Decrypt GenerateDataKey; do
  count=$(aws cloudtrail lookup-events \
    --lookup-attributes AttributeKey=EventName,AttributeValue=$event \
    --query "Events[*].CloudTrailEvent" --output text | wc -l)
  echo "Event $event Total Executions: $count"
done
SPEC_METADATA

Complexity
medium
Impact
low
Likelihood
low
Residual Risk
low
Scope
account
Environment
production
Resources
KMS
Remediation
account
Auto-Remediate
Available
Category
data-protection
Enforcement
mandatory
Tags
kmsencryptionkey-managementkey-policyseparation-of-dutiesdata-protectionlanding-zonecore-accounts

Owner
Cloud Security
Type
team
Frequency
annually

// EXCEPTION

AWS-managed keys (KeyManager: AWS) are excluded from this control. Their key policies are managed by AWS and cannot be modified. Separation of duties and rotation are enforced by AWS automatically.

// EXCEPTION

Asymmetric CMKs used for digital signing (e.g. for artifact verification) are exempt from the automatic rotation requirement - AWS KMS does not support rotation for asymmetric keys. Rotation for these keys must be handled by creating a new key version and updating all consumers manually on a documented schedule.

// SYSTEM_NOTE

The root account statement (AllowRootAccountFullControl) is mandatory in every KMS key policy - omitting it produces a key that can only be managed via the key policy itself, and a policy mistake can lock the key permanently. The kms:ViaService condition value format is exactly service.region.amazonaws.com for most services; CloudTrail is a global service and uses cloudtrail.amazonaws.com without a region segment.