Misconfigured permissions that allow broad invocation of the Decrypt API can expose plaintext data, enabling unintended disclosure or exfiltration of sensitive information.
Crypto / Key / Threats / DEV
Unrestricted Use of a KMS Key to Decrypt Data
CCC.KeyMgmt.TH02
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.KeyMgmt.CP10 | Decrypt data | Provides the ability to securely decrypt data using a managed key in the supported encryption algorithms. |
| CCC.KeyMgmt.CP17 | Enable key | Supports the ability to re-enable a disabled managed key. |
Related Controls
| ID | Title | Description |
|---|---|---|
| CCC.KeyMgmt.CN02 | Limit Decrypt Permissions | Restrict the Decrypt operation to authorised principals only, applying the principle of least privilege to protect sensitive data. |
External Mappings
| Framework | ID | Remarks |
|---|---|---|
| MITRE-ATT&CK | T1550 | Use Alternate Authentication Material |