Ensure that all your AWS Key Management Service keys are configured to be accessed only by trusted AWS accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing untrustworthy cross account access to your AWS KMS master keys will enable foreign AWS accounts to gain control over who can use the keys and access the data encrypted with these keys. To prevent sensitive data leaks and data loss, grant access only to the trusted entities by implementing the appropriate IAM access policies. AWS supports KMS key policies with a Principal '*' that are restricted by Conditions. This rule does not currently evaluate these scenarios, and will return no checks if conditions are detected for '*' principals.
To determine if there are any AWS KMS keys that allow unknown cross account access, perform the following:
Remediation / Resolution
To update your Amazon KMS keys permissions in order to allow cross account access only to trusted entities, perform the following:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
KMS Cross Account Access
Risk level: High