Kms key use remediation

Using Console

Using CLI

The misconfiguration “KMS Customer Master Key Should Be In Use” suggests that the AWS Key Management Service (KMS) is not being used to encrypt data at rest. To remediate this, you can follow these steps using AWS CLI:

Identify the resources that are not using KMS encryption. You can use the following command to list all the EBS volumes that are not encrypted with KMS:

aws ec2 describe-volumes --query "Volumes[?Encrypted=='false']"

Encrypt the EBS volumes with KMS. To do this, create a new KMS Customer Master Key (CMK) or use an existing one. You can use the following command to create a new CMK:

aws kms create-key --description "My new CMK"

Once you have a CMK, you can use it to encrypt the EBS volumes. You can use the following command to encrypt a specific EBS volume:

aws ec2 modify-volume --volume-id <volume-id> --encrypted --kms-key-id <kms-key-id>

Replace <volume-id> with the ID of the EBS volume and <kms-key-id> with the ID of the CMK.

Repeat step 3 for all the EBS volumes that are not encrypted with KMS.
Finally, verify that all the EBS volumes are encrypted with KMS. You can use the following command to list all the EBS volumes and their encryption status:

aws ec2 describe-volumes --query "Volumes[*].[VolumeId,Encrypted,KmsKeyId]"

Note: Make sure to test the remediation steps in a non-production environment before applying them to a production environment.

Using Python

To remediate the misconfiguration of KMS Customer Master Key Should Be In Use in AWS using Python, follow these steps:

Identify the AWS resource that is not using a KMS customer master key. This can be done by using the AWS CLI command aws kms list-aliases to list all the KMS customer master keys and aws kms list-grants to list all the grants for the KMS customer master keys.
Once you have identified the resource that is not using a KMS customer master key, you can use the AWS SDK for Python (Boto3) to update the resource to use a KMS customer master key. For example, if the resource is an S3 bucket, you can use the following code snippet to update the bucket policy to use a KMS customer master key:

import boto3
import json

s3 = boto3.client('s3')

bucket_name = 'your-bucket-name'
kms_key_arn = 'your-kms-key-arn'

bucket_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{}/*".format(bucket_name),
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

bucket_policy['Statement'][0]['Condition']['StringEquals'] = {
    "s3:x-amz-server-side-encryption-aws-kms-key-id": kms_key_arn
}

s3.put_bucket_policy(
    Bucket=bucket_name,
    Policy=json.dumps(bucket_policy)
)

This code snippet updates the bucket policy to deny uploads of unencrypted objects and adds a condition to require the use of a KMS customer master key for server-side encryption of objects in the bucket.

Repeat the above steps for any other AWS resources that are not using a KMS customer master key.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Kms key use remediation

Triage and Remediation

Remediation