Triage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step-by-step instructions to remediate the “App-tier KMS Key Should Be In Use” misconfiguration in AWS using the AWS console:
- Open the AWS Management Console and navigate to the AWS KMS service.
- Click on “Customer managed keys” from the left-hand menu.
- Search for the KMS key that is used to encrypt data at the app-tier.
- Check if the key is enabled and has an alias name.
- If the key is disabled, enable it by selecting the key and clicking on “Enable key” from the “Actions” menu.
- If the key does not have an alias name, add an alias by selecting the key and clicking on “Add alias” from the “Actions” menu.
- Provide an alias name for the key and click on “Create alias”.
- Now, navigate to the app-tier EC2 instance and stop the instance.
- Go to the EC2 instance details page and click on the “Volumes” tab.
- Select the root volume of the instance and click on “Actions” > “Create snapshot”.
- Once the snapshot is created, click on “Actions” > “Create image”.
- Provide a name and description for the image and select the KMS key that was enabled in step 5.
- Click on “Create image”.
- Once the image is created, start a new EC2 instance from the image.
- Verify that the new instance is using the KMS key by checking the “Encryption” attribute of the root volume.
Using CLI
Using CLI
To remediate the “App-tier KMS Key Should Be In Use” misconfiguration for AWS using AWS CLI, follow these steps:
- Log in to the AWS Management Console.
-
Open the AWS CLI and run the following command to check if the KMS key is in use:
This command will list all the KMS keys available in your account.
- Identify the KMS key that should be used for the App-tier and note down its ARN.
-
Open the AWS CLI and run the following command to update the App-tier to use the correct KMS key:
Replace
<environment-name>with the name of the environment that needs to be updated, and<KMS-key-ARN>with the ARN of the correct KMS key. -
Verify that the update was successful by running the following command:
This command will return the details of the environment. Check that the
APP_TIER_KMS_KEY_IDoption is set to the correct KMS key ARN. - Repeat the above steps for all environments in your AWS account that are affected by this misconfiguration.
Using Python
Using Python
To remediate the “App-tier KMS Key Should Be In Use” misconfiguration in AWS using Python, you can follow these steps:This code modifies the encryption settings of the root EBS volume of an EC2 instance to use the designated KMS Key.
- First, you need to identify the App-tier KMS Key that should be used. You can do this by checking your AWS account to see if there is a KMS Key that is specifically designated for use with your App-tier resources. If there is, note down the ARN of the KMS Key.
- Next, you need to update your App-tier resources to use the designated KMS Key. You can do this by using the AWS SDK for Python (Boto3) to modify the resources’ encryption settings. Here’s an example code snippet that shows how to do this for an EC2 instance:
- Finally, you should verify that the App-tier resources are now using the designated KMS Key. You can do this by checking the encryption settings of the resources using the AWS Management Console or the AWS CLI.