stelligent
Rule F76 doesn't take conditions into account
Hi.
We're looking to adopt cfn-nag for our templates, but we have some failures on rule F76 - KMS key should not allow * principal.
We use the * principal on KMS keys where we want to allow AWS services to use the key, e.g.:
- Sid: services
Effect: Allow
Principal:
AWS: '*'
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:CreateGrant'
- 'kms:ListGrants'
- 'kms:DescribeKey'
Resource: '*'
Condition:
StringEquals:
'kms:CallerAccount': !Ref 'AWS::AccountId'
'kms:ViaService':
- !Sub 'rds.${AWS::Region}.amazonaws.com'
- !Sub 'secretsmanager.${AWS::Region}.amazonaws.com'
I believe this approach is in line with AWS best practices/recommendations. Is there anything you can do to handle situations like this?
Thanks, Nick
I suspect it would be very difficult to determine whether the conditions suffice to make the wildcard secure, so maybe it's better that it fails on this, and forces a manual review and suppression. Although of course once the suppression is in place, it could then be made insecure by a further change, and it wouldn't be picked up...
@stile1201 Thanks for the detailed feedback. I agree with your assessment, for this use case the policy you have is in-line with recommendations per AWS documentation.
Evaluating the effective permissions of any given AWS policy is hard and better served by other tools such as AWS Access Analyzer. At this time, I don't think it makes sense to try and tackle matching the conditions on the policy to exempt this particular rule. My recommendation would be to use metadata to suppress this particular failure.
