More Info:

All your AWS Key Management Service keys should be configured to be accessed only by trusted AWS accounts in order to protect against unauthorized cross account access. This will help prevent data breaches and loss.

Risk Level

High

Address

Security

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

To remediate the KMS Keys Should Not Allow Unknown Cross Account Access misconfiguration for AWS using the AWS console, follow the below steps:
  1. Log in to the AWS Management Console.
  2. Go to the AWS Key Management Service (KMS) console.
  3. Click on the “Customer managed keys” link located in the left-hand menu.
  4. Select the KMS key that is not configured properly.
  5. Click on the “Key policy” tab.
  6. Click on the “Edit” button.
  7. In the “Principal” section, remove any unknown or unauthorized cross-account access.
  8. Add the appropriate AWS account IDs or IAM roles that should have access to the KMS key.
  9. Click on the “Review policy” button.
  10. Review the changes and ensure that they are correct.
  11. Click on the “Save changes” button.
  12. Verify that the KMS key is now properly configured by testing it with authorized access.
By following these steps, you will have successfully remediated the KMS Keys Should Not Allow Unknown Cross Account Access misconfiguration for AWS using the AWS console.

To remediate the misconfiguration “KMS Keys Should Not Allow Unknown Cross Account Access” in AWS using AWS CLI, follow the below steps:
  1. Identify the KMS keys that allow unknown cross-account access: 
    aws kms list-keys --query "Keys[?KeyManager != 'AWS' && KeyState == 'Enabled']" --output text | awk '{print $1}' | while read key_id; do aws kms get-key-policy --key-id $key_id --policy-name default --query Policy --output text | grep -q "Effect\": \"Allow" && echo $key_id; done
  2. Remove the unknown cross-account access from the KMS key policy: 
    aws kms list-keys --query "Keys[?KeyManager != 'AWS' && KeyState == 'Enabled']" --output text | awk '{print $1}' | while read key_id; do aws kms get-key-policy --key-id $key_id --policy-name default --query Policy --output text | sed '/Effect\": \"Allow\"/,/\"Principal\": {/d' > policy.json && aws kms put-key-policy --key-id $key_id --policy-name default --policy file://policy.json && rm policy.json; done
  3. Verify that the unknown cross-account access has been removed: 
    aws kms list-keys --query "Keys[?KeyManager != 'AWS' && KeyState == 'Enabled']" --output text | awk '{print $1}' | while read key_id; do aws kms get-key-policy --key-id $key_id --policy-name default --query Policy --output text | grep -q "Effect\": \"Allow" && echo $key_id; done
    If there is no output, then the remediation is successful.
To remediate the misconfiguration “KMS Keys Should Not Allow Unknown Cross Account Access” for AWS using Python, you can follow these steps:
  1. Identify the KMS keys that are allowing unknown cross-account access. You can do this by using the AWS CLI command aws kms list-keys to get a list of all the KMS keys and then using the aws kms describe-key command to get the key policy for each key.
  2. Check the key policy to see if it allows unknown cross-account access. You can do this by looking for the "AWS" field in the Principal element of the policy. If the "AWS" field is set to "*" or does not include a specific account ID, then the key allows unknown cross-account access.
  3. Modify the key policy to remove the unknown cross-account access. You can do this by using the aws kms put-key-policy command to update the key policy. You will need to specify the key ID, the policy name, and the new policy document that removes the "AWS" field or replaces it with a specific account ID.
  4. Test the modified key policy to ensure that it no longer allows unknown cross-account access. You can do this by using the aws kms encrypt command to encrypt a test message using the modified key. If the encryption is successful, then the key policy has been remediated.
Here is an example Python script that can be used to remediate the misconfiguration:
import boto3
import json

# Initialize the KMS client
kms = boto3.client('kms')

# Get a list of all KMS keys
response = kms.list_keys()

# Loop through each key
for key in response['Keys']:
    # Get the key policy
    key_policy = kms.get_key_policy(KeyId=key['KeyId'], PolicyName='default')['Policy']

    # Parse the policy document
    policy_doc = json.loads(key_policy)

    # Check if the policy allows unknown cross-account access
    if 'AWS' in policy_doc['Statement'][0]['Principal'] and \
        ('*' in policy_doc['Statement'][0]['Principal']['AWS'] or \
        len(policy_doc['Statement'][0]['Principal']['AWS']) == 1):
        
        # Modify the policy to remove the unknown cross-account access
        policy_doc['Statement'][0]['Principal']['AWS'] = ['arn:aws:iam::123456789012:root']

        # Update the key policy
        response = kms.put_key_policy(KeyId=key['KeyId'], PolicyName='default', Policy=json.dumps(policy_doc))

        # Print the result
        print('Key policy updated for key ' + key['KeyId'])
Note: Replace the account ID 123456789012 with your own account ID.

Additional Reading: