AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
KMS Keys Should Not Be Exposed
More Info:
Any publicly accessible AWS Key Management Service master keys should be identified and their access policy should be updated in order to stop any unsigned requests made to these resources.
Risk Level
High
Address
Security
Compliance Standards
AWSWAF, PCIDSS, GDPR
Triage and Remediation
Remediation
Sure, here are the step by step instructions to remediate this misconfiguration in AWS using the AWS console:
- Log in to the AWS Management Console.
- Go to the AWS KMS console.
- Click on the “Aliases” tab.
- Select the KMS key that is exposed.
- Click on the “Key Policy” button.
- Review the Key Policy to ensure that it is not exposing the KMS key.
- If the Key Policy is exposing the KMS key, click on the “Edit” button.
- Update the Key Policy to remove any permissions that expose the KMS key.
- Click on the “Review and Save” button.
- Review the changes made to the Key Policy.
- Click on the “Save Changes” button to save the updated Key Policy.
Once you have completed these steps, the KMS key will no longer be exposed and the misconfiguration will be remediated.
To remediate the issue of KMS Keys being exposed in AWS, you can follow the below steps using AWS CLI:
- List all the KMS keys in your AWS account by running the following command:
aws kms list-keys
-
Identify the KMS key(s) that are exposed and note down their Key IDs.
-
Remove the Key Policy from the KMS key(s) by running the following command:
aws kms put-key-policy --key-id <key-id> --policy-name default --policy "{}"
Replace <key-id> with the Key ID of the KMS key that you want to remediate.
- Verify that the Key Policy has been removed by running the following command:
aws kms get-key-policy --key-id <key-id> --policy-name default
Replace <key-id> with the Key ID of the KMS key that you remediated. This command should return an empty policy.
- Repeat steps 3 and 4 for all the exposed KMS keys in your AWS account.
By following the above steps, you can remediate the issue of KMS Keys being exposed in AWS.
To remediate the issue of KMS Keys being exposed in AWS using Python, you can follow the below steps:
Step 1: Identify the KMS keys that are exposed.
You can use the AWS CLI command aws kms list-keys to list all the KMS keys in your AWS account. Then, you can use the aws kms describe-key command to get the details of each key and check if any of them are exposed.
Step 2: Revoke the key policy that is exposing the KMS key.
You can use the aws kms put-key-policy command to revoke the key policy that is exposing the KMS key. Here’s an example of how you can do it:
import boto3
# Create a KMS client
kms = boto3.client('kms')
# Specify the key ID and the policy name
key_id = 'your_key_id'
policy_name = 'your_policy_name'
# Get the current key policy
key_policy = kms.get_key_policy(KeyId=key_id, PolicyName=policy_name)
# Revoke the key policy
key_policy['Policy'] = '{"Statement": []}'
kms.put_key_policy(KeyId=key_id, PolicyName=policy_name, Policy=json.dumps(key_policy['Policy']))
Step 3: Monitor the KMS keys to ensure they are not exposed again.
You can set up CloudWatch alarms to monitor the KMS keys and get notified if any of them are exposed again. You can also use AWS Config to monitor the KMS keys and get notified if any of the key policies are changed.