[REVIEW] aws-review: add KMS grant, XKS, and key-policy delegation evidence

[stmr]

Skill Being Reviewed

Skill name: aws-review
Skill path: skills/cloud/aws-review/

False Positive Analysis

Benign code/configuration that can be misclassified:

{
  "Sid": "AllowUseFromWorkloadRoleOnlyViaService",
  "Effect": "Allow",
  "Principal": {"AWS": "arn:aws:iam::111122223333:role/app-prod"},
  "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": "s3.us-east-1.amazonaws.com",
      "kms:CallerAccount": "111122223333"
    }
  }
}

Why this is a false positive:
The skill can over-focus on broad Resource: "*" in KMS key policies. For KMS key policies, resource is commonly * because the policy is attached to the key. The real risk depends on principal scope, kms:ViaService, caller account, grant creation permissions, encryption context, and external-account delegation.

Coverage Gaps

Missed variant 1: unrestricted grant creation

{
  "Effect": "Allow",
  "Principal": {"AWS": "arn:aws:iam::111122223333:role/ci"},
  "Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
  "Resource": "*"
}

Why it should be caught:
kms:CreateGrant can delegate decrypt/data-key permissions outside the visible IAM policy path. The review should require grant constraints, retiring principal controls, CloudTrail monitoring for CreateGrant, and evidence that stale grants are revoked.

Missed variant 2: external key store or multi-Region key without operational evidence

resource "aws_kms_external_key" "payments" {
  description = "payment data key"
}

Why it should be caught:
External key store and multi-Region key designs add availability, failover, and policy-propagation risks that CIS baseline checks do not cover. The skill should ask for XKS connectivity, break-glass, rotation, replica policy, and recovery evidence.

Edge Cases

• A key policy can look restrictive while IAM identity policies grant kms:CreateGrant broadly.
• Service-linked roles may need kms:ViaService; flagging them without context causes false positives.
• Multi-account organizations need evidence from every account and region where grants or replicas exist.
• Encryption context is important for shared keys used by multiple applications.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Current remediation focuses on CIS baseline posture, but KMS delegation needs separate evidence gates: effective key policy, IAM policy, grants, CloudTrail, encryption context, service constraints, external key store health, and replica policy drift.

Comparison to Other Tools

Tool	Catches this?	Notes
Semgrep	Partial	Can spot permissive JSON/HCL patterns, not effective KMS grant delegation.
CodeQL	No	Not a source-code dataflow issue.
Other: Prowler/Steampipe	Partial	Can flag some KMS policy issues; review still needs grant and XKS operational evidence.

Overall Assessment

Strengths:
Good CIS AWS v3.0.0 map, useful IaC discovery patterns, and clear severity model for account posture review.

Needs improvement:
KMS effective access is under-modeled. Key policies, grants, service constraints, and external key stores need a specific review path beyond generic encryption checks.

Priority recommendations:

1. Add a KMS effective-access subsection for key policy, IAM policy, grants, and kms:ViaService.
2. Require CloudTrail evidence for grant creation, retirement, failed decrypts, and unexpected principals.
3. Add XKS and multi-Region key evidence gates for availability, rotation, replica drift, and break-glass access.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal samik4184@gmail.com