aws_compliance

AWS Compliance

Checks if the inline policies attached to IAM users, roles, and groups do not allow blocked actions on all AWS Key Management Service (KMS) keys. The rule is non - compliant if any blocked action is allowed on all KMS keys in an inline policy.

iam_policy_inline_no_blocked_kms_actions

gxp_21_cfr_part_11_11_10_d

11.10(d) Limiting system access to authorized individuals

gxp_21_cfr_part_11_11_10_g

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv

164.312(a)(2)(iv) Encryption and decryption

hipaa_security_rule_2003_164_312_a_2_iv

nist_800_171_rev_2_3_1_4

3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion

nist_800_171_rev_2_3_1_5

3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts

pci_dss_v321_requirement_3_5_2

3.5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary

pci_dss_v321_requirement_3_6_4

3.6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines

pci_dss_v321_requirement_3_6_4_a

3.6.4.a Verify that key-management procedures include a defined cryptoperiod for each key type in use and define a process for key changes at the end of the defined cryptoperiod(s)

all_controls_iam

nist_csf_pr_ac_1

PR.AC-1

nist_csf_pr_ac_4

PR.AC-4

cisa_cyber_essentials_your_systems_3

Your Systems-3

Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys

Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, FFIEC, PCI, NIST, HIPAA, RBI CSF, GDPR, SOC 2, Audit Manager Control Tower, FedRAMP, GxP and AWS Foundational Security Best Practices controls across all your AWS accounts using Powerpipe and Steampipe.

Apache License 2.0

steampipe-mod-aws-compliance

Control: Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys

Description

Usage

SQL

Tags