KMS.2: Decrypt is granted on all KMS keys

What does AWS Security Hub KMS.2 check?

KMS.2 fails when an IAM principal has an inline policy allowing kms:Decrypt or kms:ReEncryptFrom on all keys (Resource: "*") rather than on specific key ARNs. The control inspects inline policies attached to users, groups, and roles.

Why does KMS.2 matter?

Decrypt on "*" means a single compromised principal can decrypt anything in the account that any key protects. In the 2019 Capital One breach the second act was exactly this — the compromised role's broad kms:Decrypt let the attacker get AWS to decrypt 100M+ records for them. Scoping the action to the handful of keys a workload actually uses stops a stolen credential from unlocking the whole estate.

How do I fix KMS.2?

1. Inventory inline policies and flag kms:Decrypt or kms:ReEncryptFrom paired with Resource: "*".
2. Determine which keys each principal genuinely uses from CloudTrail.
3. Rewrite the Resource element to list those specific key ARNs.
4. Where an exact ARN list is impractical, narrow with condition keys such as kms:ViaService or encryption-context constraints.

# Stop the irreversible clock first: cancel any scheduled deletion, then re-enable.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  state=$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.KeyState' --output text)
  if [ "$state" = "PendingDeletion" ]; then
    aws kms cancel-key-deletion --key-id "$k"
    aws kms enable-key --key-id "$k"   # cancel leaves it Disabled
    echo "$k: deletion cancelled and re-enabled"
  fi
done

# Turn rotation on for eligible customer-managed symmetric keys.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  read -r mgr spec <<<"$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.[KeyManager,KeySpec]' --output text)"
  if [ "$mgr" = "CUSTOMER" ] && [ "$spec" = "SYMMETRIC_DEFAULT" ]; then
    aws kms enable-key-rotation --key-id "$k"
  fi
done