AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
KMS Customer Master Key Should Be In Use
More Info:
You should have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the KMS Customer Master Key Should Be In Use misconfiguration in AWS using AWS console, follow these steps:
-
Open the AWS Management Console and navigate to the AWS Key Management Service (KMS) console.
-
Click on the “Customer managed keys” option in the left-hand menu.
-
Identify the key that is not in use and select it by clicking on its alias.
-
Click on the “Key actions” dropdown menu and select “Enable Key”.
-
In the pop-up window, select the AWS service(s) that you want to use the key with and click “Enable”.
-
Once enabled, the key will be available for use by the selected AWS service(s).
-
Repeat steps 3-6 for any other keys that are not in use.
-
Verify that the KMS Customer Master Key is now in use by checking the compliance status of the resource or by running a compliance check.
By following these steps, you can remediate the KMS Customer Master Key Should Be In Use misconfiguration in AWS using AWS console.
The misconfiguration “KMS Customer Master Key Should Be In Use” suggests that the AWS Key Management Service (KMS) is not being used to encrypt data at rest. To remediate this, you can follow these steps using AWS CLI:
- Identify the resources that are not using KMS encryption. You can use the following command to list all the EBS volumes that are not encrypted with KMS:
aws ec2 describe-volumes --query "Volumes[?Encrypted=='false']"
- Encrypt the EBS volumes with KMS. To do this, create a new KMS Customer Master Key (CMK) or use an existing one. You can use the following command to create a new CMK:
aws kms create-key --description "My new CMK"
- Once you have a CMK, you can use it to encrypt the EBS volumes. You can use the following command to encrypt a specific EBS volume:
aws ec2 modify-volume --volume-id <volume-id> --encrypted --kms-key-id <kms-key-id>
Replace <volume-id> with the ID of the EBS volume and <kms-key-id> with the ID of the CMK.
-
Repeat step 3 for all the EBS volumes that are not encrypted with KMS.
-
Finally, verify that all the EBS volumes are encrypted with KMS. You can use the following command to list all the EBS volumes and their encryption status:
aws ec2 describe-volumes --query "Volumes[*].[VolumeId,Encrypted,KmsKeyId]"
Note: Make sure to test the remediation steps in a non-production environment before applying them to a production environment.
To remediate the misconfiguration of KMS Customer Master Key Should Be In Use in AWS using Python, follow these steps:
-
Identify the AWS resource that is not using a KMS customer master key. This can be done by using the AWS CLI command
aws kms list-aliasesto list all the KMS customer master keys andaws kms list-grantsto list all the grants for the KMS customer master keys. -
Once you have identified the resource that is not using a KMS customer master key, you can use the AWS SDK for Python (Boto3) to update the resource to use a KMS customer master key. For example, if the resource is an S3 bucket, you can use the following code snippet to update the bucket policy to use a KMS customer master key:
import boto3
import json
s3 = boto3.client('s3')
bucket_name = 'your-bucket-name'
kms_key_arn = 'your-kms-key-arn'
bucket_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{}/*".format(bucket_name),
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
bucket_policy['Statement'][0]['Condition']['StringEquals'] = {
"s3:x-amz-server-side-encryption-aws-kms-key-id": kms_key_arn
}
s3.put_bucket_policy(
Bucket=bucket_name,
Policy=json.dumps(bucket_policy)
)
This code snippet updates the bucket policy to deny uploads of unencrypted objects and adds a condition to require the use of a KMS customer master key for server-side encryption of objects in the bucket.
- Repeat the above steps for any other AWS resources that are not using a KMS customer master key.