Restrict the Decrypt operation to authorised principals only, applying the principle of least privilege to protect sensitive data.
Crypto / Key / Controls / DEV
Limit Decrypt Permissions
CCC.KeyMgmt.CN02 · Access
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.KeyMgmt.CP10 | Decrypt data | Provides the ability to securely decrypt data using a managed key in the supported encryption algorithms. |
| CCC.KeyMgmt.CP17 | Enable key | Supports the ability to re-enable a disabled managed key. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.KeyMgmt.TH02 | Unrestricted Use of a KMS Key to Decrypt Data | Misconfigured permissions that allow broad invocation of the Decrypt API can expose plaintext data, enabling unintended disclosure or exfiltration of sensitive information. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.KeyMgmt.CN02.AR01 | When IAM roles and key policies are reviewed, Decrypt permission MUST be granted exclusively to documented authorised principals. | tlp-green |