AWS config high security documentation change
Summary
Clarified rule scope to check for blocked KMS actions on all KMS keys and wildcard access in IAM policies
Security assessment
The changes emphasize preventing wildcard access to KMS actions across all resources, which directly addresses potential over-permissive IAM policies. This helps prevent privilege escalation risks and unauthorized cryptographic operations.
Diff
diff --git a/config/latest/developerguide/iam-customer-policy-blocked-kms-actions.md b/config/latest/developerguide/iam-customer-policy-blocked-kms-actions.md index f50e6d4a8..38708c900 100644 --- a//config/latest/developerguide/iam-customer-policy-blocked-kms-actions.md +++ b//config/latest/developerguide/iam-customer-policy-blocked-kms-actions.md @@ -9 +9 @@ AWS CloudFormation template -Checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on AWS KMS keys. The rule is NON_COMPLIANT if any blocked action is allowed on AWS KMS keys by the managed IAM policy. +Checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked KMS actions on all AWS KMS key resources. The rule is NON_COMPLIANT if any blocked action is allowed on all AWS KMS keys by the managed IAM policy. @@ -29 +29 @@ Type: CSV -Comma-separated list of blocked KMS action patterns. For example, you can list kms:Decrypt* or kms:ReEncrypt as blocked action patterns. The rule is NON_COMPLIANT if the managed IAM policy allows any action pattern listed in this parameter. +Comma-separated list of blocked KMS action patterns for the rule to check. The rule is NON_COMPLIANT if IAM customer managed policies allow wildcard access to all resources for the actions you specify.