28 June 2021 - Rule Update Notice
From Thursday 24th June at 5:55 am UTC to Monday 28th June 10:19 am UTC, the Rule: KMS-006: KMS Cross Account Access generated false positives (incorrect failures) in the following scenarios:
- AWS Managed Keys in the scenarios mentioned in the Rule Updates section below.
- Customer Managed Keys with a wildcard statement in the Principal section of the Key policy.
We have made the following rule updates to resolve the issue.
1. KMS-006: KMS Cross Account Access
a. Will no longer generate checks for:
- Any AWS Managed Keys as their secure nature excludes them from cross account access misconfigurations.
- Customer Managed Keys with a wildcard Principal and any Condition in a statement section of the key policy.
b. Will generate checks for:
- Customer Managed Keys with a key policy without a wildcard statement in the Principal section of the key policy, regardless of the presence of an account condition.
- Customer Managed Keys with a key policy with a wildcard statement in the Principal section of the key policy, provided there is no condition statement.
We’ve also updated the Knowledge Base for the rule to reflect these updates.
As AWS allows KMS policies to include the wildcard principle and condition statements to enable restricted cross-account access, Conformity will work towards optimizing the rule by adding more policy condition scenarios in the future.
2. Conformity has stopped evaluating AWS Managed Keys in the scenarios mentioned above implying no checks will be produced for any AWS Managed Keys in the following rules:
- KMS-003: Unused Customer Master Key
- KMS-004: KMS Customer Master Key Pending Deletion
- KMS-005: Key Exposed
Custom Policy Updates
There is no change to the custom policy as a result of the latest deployment. The current custom policy is version 1.31.