You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The AWS finding "KMS Keys Allow Cross-Account Access" seems to trigger on KMS key policies that grant permissions to unique IDs (AROA..., etc.) rather than to accounts or ARNs. This is still an issue that should be reported, but perhaps it should be a separate issue: there is no convenient way to identify the account holding the principal identified by a unique ID, so it's not clear whether the permission is granted to another account or not. Also, AWS sometimes replaces principal ARNs in permission policies with unique IDs when those principals are deleted (https://repost.aws/knowledge-center/iam-resource-policy-format).
I suggest that this finding should be split into two:
One for the case where permissions are unambiguously being granted to another account.
One for the case where permissions are being granted to a unique ID that cannot be identified.
The same would hold for any related issues with resource-based permission policies.
The text was updated successfully, but these errors were encountered:
Describe the bug
The AWS finding "KMS Keys Allow Cross-Account Access" seems to trigger on KMS key policies that grant permissions to unique IDs (AROA..., etc.) rather than to accounts or ARNs. This is still an issue that should be reported, but perhaps it should be a separate issue: there is no convenient way to identify the account holding the principal identified by a unique ID, so it's not clear whether the permission is granted to another account or not. Also, AWS sometimes replaces principal ARNs in permission policies with unique IDs when those principals are deleted (https://repost.aws/knowledge-center/iam-resource-policy-format).
I suggest that this finding should be split into two:
The same would hold for any related issues with resource-based permission policies.
The text was updated successfully, but these errors were encountered: