KMS.1: IAM policies should not allow decrypt on all KMS keys

What does AWS Security Hub KMS.1 check?

KMS.1 fails when the default version of a customer-managed IAM policy (attached or unattached) allows kms:Decrypt or kms:ReEncryptFrom on a wildcard Resource. It checks managed policies specifically and ignores conditions and inline policies.

Why does KMS.1 matter?

A managed policy with decrypt on "*" lets every principal it's attached to decrypt data under any key — including, in a multi-tenant system, other tenants' data. Such grants slip through reviews because reviewers focus on the actions, not the Resource. One DataPipelineRole that only ever touched two keys carried Decrypt on "*" through three reviews; scoping it to the two real ARNs took eight minutes.

How do I fix KMS.1?

1. List customer-managed policies and read each document for kms:Decrypt or kms:ReEncryptFrom with Resource: "*".
2. Identify the keys each principal actually uses.
3. Rewrite the Resource element to the specific key ARNs and verify nothing breaks.
4. Note KMS.1 only evaluates the policy's default version — bump and clean up old versions too.

# Stop the irreversible clock first: cancel any scheduled deletion, then re-enable.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  state=$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.KeyState' --output text)
  if [ "$state" = "PendingDeletion" ]; then
    aws kms cancel-key-deletion --key-id "$k"
    aws kms enable-key --key-id "$k"   # cancel leaves it Disabled
    echo "$k: deletion cancelled and re-enabled"
  fi
done

# Turn rotation on for eligible customer-managed symmetric keys.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  read -r mgr spec <<<"$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.[KeyManager,KeySpec]' --output text)"
  if [ "$mgr" = "CUSTOMER" ] && [ "$spec" = "SYMMETRIC_DEFAULT" ]; then
    aws kms enable-key-rotation --key-id "$k"
  fi
done