Automated file generation

annotated.json

@@ -1243,6 +1243,16 @@
       "DataAccess"
     ]
   },
+  "kms:CreateGrant": {
+    "access_level": "Permissions management",
+    "description": "Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy",
+    "service_name": "AWS Key Management Service",
+    "risk_category": [
+      "DataAccess",
+      "PrivEsc",
+      "ResourceExposure"
+    ]
+  },
   "lambda:GetFunction": {
     "access_level": "Read",
     "description": "Grants permission to view details about an AWS Lambda function",
@@ -2809,14 +2819,6 @@
       "ResourceExposure"
     ]
   },
-  "kms:CreateGrant": {
-    "access_level": "Permissions management",
-    "description": "Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy",
-    "service_name": "AWS Key Management Service",
-    "risk_category": [
-      "ResourceExposure"
-    ]
-  },
   "kms:PutKeyPolicy": {
     "access_level": "Permissions management",
     "description": "Controls permission to replace the key policy for the specified AWS KMS key",

annotated.yaml

@@ -1102,6 +1102,15 @@ DataAccess:
       - DataAccess
       service_name: Amazon Kinesis Video Streams
 
+  - kms:CreateGrant:
+      access_level: Permissions management
+      description: Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy
+      risk_category:
+      - DataAccess
+      - PrivEsc
+      - ResourceExposure
+      service_name: AWS Key Management Service
+
   - lambda:GetFunction:
       access_level: Read
       description: Grants permission to view details about an AWS Lambda function
@@ -1615,6 +1624,15 @@ PrivEsc:
       - ResourceExposure
       service_name: AWS Identity and Access Management (IAM)
 
+  - kms:CreateGrant:
+      access_level: Permissions management
+      description: Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy
+      risk_category:
+      - DataAccess
+      - PrivEsc
+      - ResourceExposure
+      service_name: AWS Key Management Service
+
 ResourceExposure:
   Actions:
 
@@ -2729,6 +2747,8 @@ ResourceExposure:
       access_level: Permissions management
       description: Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy
       risk_category:
+      - DataAccess
+      - PrivEsc
       - ResourceExposure
       service_name: AWS Key Management Service
 

policies/ALL.json

@@ -30,7 +30,8 @@
         "iam:ResyncMFADevice",
         "iam:SetDefaultPolicyVersion",
         "iam:UpdateAssumeRolePolicy",
-        "iam:UpdateLoginProfile"
+        "iam:UpdateLoginProfile",
+        "kms:CreateGrant"
       ],
       "Resource": "*"
     },
@@ -502,6 +503,7 @@
         "kinesis:GetRecords",
         "kinesisvideo:GetImages",
         "kinesisvideo:GetMedia",
+        "kms:CreateGrant",
         "lambda:GetFunction",
         "lambda:GetLayerVersion",
         "lightsail:GetContainerImages",

policies/DataAccess.json

@@ -112,6 +112,7 @@
         "kinesis:GetRecords",
         "kinesisvideo:GetImages",
         "kinesisvideo:GetMedia",
+        "kms:CreateGrant",
         "lambda:GetFunction",
         "lambda:GetLayerVersion",
         "lightsail:GetContainerImages",

policies/PrivEsc.json

@@ -30,7 +30,8 @@
         "iam:ResyncMFADevice",
         "iam:SetDefaultPolicyVersion",
         "iam:UpdateAssumeRolePolicy",
-        "iam:UpdateLoginProfile"
+        "iam:UpdateLoginProfile",
+        "kms:CreateGrant"
       ],
       "Resource": "*"
     }