Skip to content

KMS key policy contains wildcard (*) principal

Description

A wildcard principal is a placeholder that allows access to all users or accounts, and can potentially expose your KMS keys to unauthorized access.

By removing wildcard principals from your key policies, you can ensure that only specific users or accounts have access to your KMS keys. This can help to improve the security of your keys and reduce the risk of unauthorized access.

Fix - Buildtime

CloudFormation

  • Resource: AWS::KMS::Key
  • Argument: Properties.Statement.Principal
Type: AWS::KMS::Key
    Properties:
        ...
        Statement:
            - ...
        Principal:
-           "*"
-           AWS: "*"
+                   AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'