What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
prod-data-encryption-key
KMS key policy grants kms:Decrypt to Principal: "*" allowing any AWS account to decrypt data
High
backup-encryption-key
KMS key has grants to external AWS accounts without kms:ViaService condition
Medium
app-signing-key
Customer-managed KMS key does not have automatic key rotation enabled
What does AWS KMS public exposure mean?
KMS key policies can grant access to external AWS accounts or any principal. An overly permissive key policy means external parties could encrypt or decrypt data using your keys.
Why it matters
KMS keys protect your most sensitive data. If an external actor can use your keys, they can decrypt data they shouldn't have access to, or encrypt your data with a key you can't control.
How to check manually
- 1Review KMS key policies for Principal: "*" or external account IDs
- 2Check for grants that allow cross-account access
- 3Verify key rotation is enabled on customer-managed keys
- 4Review CloudTrail logs for unexpected key usage
Quick check with AWS CLI
List KMS keys and check their key policies
aws kms list-keys --query "Keys[].KeyId" --output text | xargs -I {} aws kms get-key-policy --key-id {} --policy-name default --output textCheck key rotation status for all customer-managed keys
aws kms list-keys --query "Keys[].KeyId" --output text | xargs -I {} sh -c 'echo "Key: {}"; aws kms get-key-rotation-status --key-id {}'List grants for a specific KMS key
aws kms list-grants --key-id YOUR_KEY_ID --query "Grants[].{GranteePrincipal:GranteePrincipal,Operations:Operations}"Common misconfigurations
Key policy allowing access to any AWS principal
Cross-account grants without condition keys
Key rotation not enabled
Unused keys still active
Check all 22 resource types at once
Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.
Scan My Account