AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
KMS Keys Should Not Allow Unknown Cross Account Access
More Info:
All your AWS Key Management Service keys should be configured to be accessed only by trusted AWS accounts in order to protect against unauthorized cross account access. This will help prevent data breaches and loss.
Risk Level
High
Address
Security
Compliance Standards
AWSWAF
Triage and Remediation
Remediation
To remediate the KMS Keys Should Not Allow Unknown Cross Account Access misconfiguration for AWS using the AWS console, follow the below steps:
-
Log in to the AWS Management Console.
-
Go to the AWS Key Management Service (KMS) console.
-
Click on the “Customer managed keys” link located in the left-hand menu.
-
Select the KMS key that is not configured properly.
-
Click on the “Key policy” tab.
-
Click on the “Edit” button.
-
In the “Principal” section, remove any unknown or unauthorized cross-account access.
-
Add the appropriate AWS account IDs or IAM roles that should have access to the KMS key.
-
Click on the “Review policy” button.
-
Review the changes and ensure that they are correct.
-
Click on the “Save changes” button.
-
Verify that the KMS key is now properly configured by testing it with authorized access.
By following these steps, you will have successfully remediated the KMS Keys Should Not Allow Unknown Cross Account Access misconfiguration for AWS using the AWS console.
To remediate the misconfiguration “KMS Keys Should Not Allow Unknown Cross Account Access” in AWS using AWS CLI, follow the below steps:
-
Identify the KMS keys that allow unknown cross-account access:
aws kms list-keys --query "Keys[?KeyManager != 'AWS' && KeyState == 'Enabled']" --output text | awk '{print $1}' | while read key_id; do aws kms get-key-policy --key-id $key_id --policy-name default --query Policy --output text | grep -q "Effect\": \"Allow" && echo $key_id; done -
Remove the unknown cross-account access from the KMS key policy:
aws kms list-keys --query "Keys[?KeyManager != 'AWS' && KeyState == 'Enabled']" --output text | awk '{print $1}' | while read key_id; do aws kms get-key-policy --key-id $key_id --policy-name default --query Policy --output text | sed '/Effect\": \"Allow\"/,/\"Principal\": {/d' > policy.json && aws kms put-key-policy --key-id $key_id --policy-name default --policy file://policy.json && rm policy.json; done -
Verify that the unknown cross-account access has been removed:
aws kms list-keys --query "Keys[?KeyManager != 'AWS' && KeyState == 'Enabled']" --output text | awk '{print $1}' | while read key_id; do aws kms get-key-policy --key-id $key_id --policy-name default --query Policy --output text | grep -q "Effect\": \"Allow" && echo $key_id; doneIf there is no output, then the remediation is successful.
To remediate the misconfiguration “KMS Keys Should Not Allow Unknown Cross Account Access” for AWS using Python, you can follow these steps:
-
Identify the KMS keys that are allowing unknown cross-account access. You can do this by using the AWS CLI command
aws kms list-keysto get a list of all the KMS keys and then using theaws kms describe-keycommand to get the key policy for each key. -
Check the key policy to see if it allows unknown cross-account access. You can do this by looking for the
"AWS"field in thePrincipalelement of the policy. If the"AWS"field is set to"*"or does not include a specific account ID, then the key allows unknown cross-account access. -
Modify the key policy to remove the unknown cross-account access. You can do this by using the
aws kms put-key-policycommand to update the key policy. You will need to specify the key ID, the policy name, and the new policy document that removes the"AWS"field or replaces it with a specific account ID. -
Test the modified key policy to ensure that it no longer allows unknown cross-account access. You can do this by using the
aws kms encryptcommand to encrypt a test message using the modified key. If the encryption is successful, then the key policy has been remediated.
Here is an example Python script that can be used to remediate the misconfiguration:
import boto3
import json
# Initialize the KMS client
kms = boto3.client('kms')
# Get a list of all KMS keys
response = kms.list_keys()
# Loop through each key
for key in response['Keys']:
# Get the key policy
key_policy = kms.get_key_policy(KeyId=key['KeyId'], PolicyName='default')['Policy']
# Parse the policy document
policy_doc = json.loads(key_policy)
# Check if the policy allows unknown cross-account access
if 'AWS' in policy_doc['Statement'][0]['Principal'] and \
('*' in policy_doc['Statement'][0]['Principal']['AWS'] or \
len(policy_doc['Statement'][0]['Principal']['AWS']) == 1):
# Modify the policy to remove the unknown cross-account access
policy_doc['Statement'][0]['Principal']['AWS'] = ['arn:aws:iam::123456789012:root']
# Update the key policy
response = kms.put_key_policy(KeyId=key['KeyId'], PolicyName='default', Policy=json.dumps(policy_doc))
# Print the result
print('Key policy updated for key ' + key['KeyId'])
Note: Replace the account ID 123456789012 with your own account ID.