Query: KMS key decryption should be restricted in IAM inline policy

Description

Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys in an inline policy.

Query

Tables used in this query:

• aws_iam_group
• aws_iam_role
• aws_iam_user

Controls using this query:

• 2 IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys
• KMS key decryption should be restricted in IAM inline policy

SQL