Incorrect Permission Assignment for Critical Resource
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-732: Incorrect Permission Assignment for Critical Resource |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The KMS key policy grants wildcard (’*’) access to all principals, allowing anyone to perform any action on the key. This overly permissive configuration exposes the key to unauthorized access and misuse.
Impact#
If exploited, attackers could gain full administrative control over your KMS key, enabling them to decrypt sensitive data, delete or rotate keys, and disrupt critical encryption operations. This can lead to data breaches, loss of confidentiality, and compromise of all data protected by the key.