iam-customer-policy-blocked-kms-actions - AWS Config

iam-customer-policy-blocked-kms-actions

Checks that the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on all AWS KMS keys. The rule is NON_COMPLIANT if any blocked action is allowed on all AWS KMS keys by the managed IAM policy.

Identifier: IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Asia Pacific (Osaka) Region

Parameters:

blockedActionsPatterns
Type: CSV

Comma-separated list of blocked KMS action patterns, for example, kms:*, kms:Decrypt, kms:ReEncrypt*.

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.