Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does not catch KMS Key with Principal: "*" in Key Policy #335

Closed
JoseRolles opened this issue Dec 31, 2019 · 2 comments
Closed

Does not catch KMS Key with Principal: "*" in Key Policy #335

JoseRolles opened this issue Dec 31, 2019 · 2 comments
Assignees
@pshelby
Labels
good first issue

Comments

@JoseRolles
Copy link

Even though the following Key Policy will allow any AWS account to use this KMS Key to Decrypt anything, cfn_nag does not flag it as a warning or failing violation.

{
  "Resources": {
    "MyKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "EnableKeyRotation": true,
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": "*",
              "Action": "kms:*",
              "Resource": "*"
            }
          ]
        }
      }
    }
  }
}
@ghost ghost added the good first issue label Jan 6, 2020
@ghost
Copy link

ghost commented Jan 6, 2020

cfn_nag doesn't currently have a rule for anything KMS::Key related except for the rotation bit. Will put this on the backlog. Thanks!

@ghost ghost assigned ghost and pshelby and unassigned ghost Jan 6, 2020
This was referenced Jan 8, 2020
Merged
Merged
ghost pushed a commit that referenced this issue Jan 14, 2020
@pshelby
#335 Adding warning if a KMS key allows wildcarded principals in its …
c1f1a78 
…policy (#338)

* #335 Adding warning if a KMS key allows wildcarded principals in its policy.

* #335 Changing to failure, and adding logic to catch when AWS subkey is set to wildcard.

* #335 Modifying KMS key wildcard principal rule to use new KMS key model from cfn-model and included tests for nested hash wildcard principal.

* #335 Updating cfn-model version.
@ghost
Copy link

ghost commented Jan 14, 2020

released in 0.4.65

@ghost ghost closed this as completed Jan 14, 2020
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pshelby pshelby

Labels
good first issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pshelby @JoseRolles