AWS KMS key created with policy lockout safety check bypass
Description
AlphaSOC detected the creation of an AWS Key Management Service (KMS) key with the
BypassPolicyLockoutSafetyCheck parameter enabled. This safety mechanism
validates that key policies maintain administrative access, preventing
permanent lockout scenarios. Bypassing this check allows creating keys without
verifying ongoing administrative control.
Impact
Creating KMS keys without policy lockout protection can result in keys with overly restrictive policies that block permanently administrative access. This prevents future policy modifications and key management operations and potentially renders encrypted data inaccessible. Adversaries may exploit this capability to establish persistence or cause a Denial of Service (DoS) by creating keys with policies that exclude legitimate administrators.
Severity
| Severity | Condition |
|---|---|
Medium | AWS KMS key created with policy lockout safety bypass |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user who created the KMS key with
the BypassPolicyLockoutSafetyCheck parameter that was set to true. Examine the source
IP address, user agent, and session context for anomalies. Analyze the key
policy configuration to assess potential security risks. Verify if the bypass
was part of authorized operations through change management records. If
unauthorized, immediately delete the affected keys and recreate them with proper
safety checks enabled. Implement preventive controls through IAM policies that
restrict the BypassPolicyLockoutSafetyCheck parameter, and through AWS Organizations
Service Control Policies (SCPs).