Identify any publicly accessible AWS Key Management Service master keys and update their access policy in order to stop any unsigned requests made to these resources.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing anonymous access to your AWS KMS keys is considered bad practice and can lead to sensitive data leakage. One common scenario is when an AWS user grants permissions to everyone for using the KMS key but forgets adding the Condition clauses to the key policy in order to filter the access to certain accounts.
Audit
To determine if your AWS KMS master keys are opened to the world, perform the following:
Remediation / Resolution
To block anonymous access to your Amazon KMS master keys, perform the following:
References
- AWS Documentation:
- Overview of Managing Access to Your AWS KMS Resources
- Using Key Policies in AWS KMS
- AWS Policy Generator
- AWS Command Line Interface (CLI) Documentation:
- kms
- list-aliases
- get-key-policy
- put-key-policy
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Key Exposed
Risk level: High