AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AWS KMS Customer Master Keys For EFS Encryption
More Info:
Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys instead of AWS managed-keys (default keys used by the EFS service when there are no customer keys defined) in order to have more granular control over your data-at-rest encryption/decryption process.
Risk Level
High
Address
Security
Compliance Standards
ISO27001, HIPAA
Triage and Remediation
Check Cause
- Sign in to the AWS Management Console.
- Navigate to the API Gateway console. You can do this by typing “API Gateway” in the search bar and selecting it from the dropdown menu.
- In the API Gateway console, select the API you want to check.
- In the API details page, select the “Stages” option from the left-hand side menu. Here, you can see all the stages of your API. Click on the stage you want to check.
- In the stage editor, select the “Logs/Tracing” tab. Here, you can see the “CloudWatch Settings”. If the “Enable CloudWatch Logs” option is not selected, it means that AWS KMS Customer Master Keys for EFS Encryption is not enabled in API Gateway.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the resources.
-
Once AWS CLI is installed and configured, you can use the following command to list all the API Gateways:
aws apigateway get-rest-apisThis command will return a list of all the API Gateways along with their details.
-
Now, to check the AWS KMS Customer Master Keys for EFS Encryption, you need to list all the resources of each API Gateway. You can do this by using the following command:
aws apigateway get-resources --rest-api-id <rest-api-id>Replace
<rest-api-id>with the ID of the API Gateway you want to check. This command will return a list of all the resources of the specified API Gateway. -
Finally, for each resource, you need to check the
aws:kms:KeyArnproperty. If this property is not set or is set to a key that is not a Customer Master Key, then the EFS Encryption is misconfigured. You can do this by using the following command:aws apigateway get-integration --rest-api-id <rest-api-id> --resource-id <resource-id> --http-method <http-method>Replace
<rest-api-id>,<resource-id>, and<http-method>with the ID of the API Gateway, the ID of the resource, and the HTTP method of the integration, respectively. This command will return the details of the integration, including theaws:kms:KeyArnproperty.
- Install and configure AWS SDK for Python (Boto3) on your local system. This will allow you to interact with AWS services using Python.
pip install boto3
aws configure
- Create a Python script that uses Boto3 to list all the API Gateways in your AWS account.
import boto3
def list_api_gateways():
client = boto3.client('apigateway')
response = client.get_rest_apis()
return response['items']
api_gateways = list_api_gateways()
- For each API Gateway, check if the EFS encryption is enabled. If the EFS encryption is not enabled, the API Gateway is misconfigured.
def check_efs_encryption(api_gateways):
client = boto3.client('kms')
misconfigured_gateways = []
for gateway in api_gateways:
try:
response = client.describe_key(KeyId=gateway['id'])
if response['KeyMetadata']['KeyState'] != 'Enabled':
misconfigured_gateways.append(gateway['name'])
except Exception as e:
print(f"Error checking EFS encryption for {gateway['name']}: {e}")
return misconfigured_gateways
misconfigured_gateways = check_efs_encryption(api_gateways)
- Print out the names of the misconfigured API Gateways.
print("Misconfigured API Gateways:")
for gateway in misconfigured_gateways:
print(gateway)
This script will list all the API Gateways in your AWS account and check if the EFS encryption is enabled for each one. If the EFS encryption is not enabled, the script will print out the name of the API Gateway.