Json Yaml Keys Exposed To Everyone
Description
Detects AWS KMS keys in CloudFormation templates that have master key policies which grant access to everyone. This represents a critical security risk as it could allow unauthorized users to access and use the encryption keys, potentially compromising sensitive data.
Detection Strategy
• Scans CloudFormation template files for AWS::KMS::Key resource definitions
• Examines the key policy configuration to identify overly permissive access settings
• Reports a vulnerability if the KMS key policy allows unrestricted access to the master key
• Focuses specifically on identifying KMS key configurations where the Principal in the policy statements includes '*' or other overly broad access patterns
Vulnerable code example
Resources:
myKMSKey:
Type: AWS::KMS::Key
Properties:
Description: Vulnerable KMS key configuration
KeyPolicy:
Version: 2012-10-17
Statement:...✅ Secure code example
Resources:
myKMSKey:
Type: AWS::KMS::Key
Properties:
Description: Secure KMS key configuration
EnableKeyRotation: true # Enable automatic key rotation for better security
KeyPolicy:
Version: 2012-10-17...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.