Skip to content

IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys #4628

New issue
New issue
Open
Open
IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys#4628
Labels
area/permissionsIssues about IAM permissionstype/enhancementIssues that are improvements for existing features.
@afgallo

Description

@afgallo
afgallo
opened on Mar 15, 2023

Copilot deploys two IAM roles that are triggering the above alert in Security Hub which has medium severity. The roles are:

  • EnvManagerRole
  • CFNExecutionRole

Can this be addressed in future releases so that this isn't a security concern?

Thanks,
Andre

[KMS.2] Checks whether the inline policies embedded in your IAM principals (Role/User/Group) allow the AWS Key Management Service (KMS) decryption actions on all KMS keys. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys in an inline policy.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    area/permissionsIssues about IAM permissionstype/enhancementIssues that are improvements for existing features.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions