AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
KMS Key Policies Should Be Designed To Limit Number Of KMS Admins
More Info:
KMS key policies should be designed to limit the number of users who can perform encrypt and decrypt operations. Each application should use its own key to avoid over exposure.
Risk Level
Low
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of KMS Key Policies should be designed to limit the number of KMS Admins in AWS, follow the below steps using AWS Console:
- Open the AWS KMS Console.
- From the left navigation pane, choose “Customer managed keys”.
- Select the KMS key for which you want to remediate the misconfiguration.
- In the Key policy section, choose “Edit”.
- Update the key policy to include only the required number of IAM users or roles who need administrative access to the KMS key.
- Remove any unnecessary IAM users or roles from the key policy.
- Choose “Review policy”.
- Review the policy changes and ensure that the policy is designed to limit the number of KMS admins.
- Choose “Save changes” to save the updated key policy.
- Verify that only the required IAM users or roles have administrative access to the KMS key.
By following these steps, you can remediate the misconfiguration of KMS Key Policies should be designed to limit the number of KMS Admins in AWS.
To remediate this issue for AWS, you can follow these steps using AWS CLI:
-
Identify the KMS key ID that needs to be remediated.
-
Create a new IAM policy that grants the required permissions for KMS key management.
-
Attach the new IAM policy to an IAM user or role that needs to manage the KMS key.
-
Remove the KMS key administrator permissions from the existing IAM users or roles.
Here are the detailed steps:
Step 1: Identify the KMS key ID that needs to be remediated
Use the following command to list all the KMS keys in your AWS account:
aws kms list-keys
Identify the KMS key ID that needs to be remediated.
Step 2: Create a new IAM policy that grants the required permissions for KMS key management
Create a new IAM policy that grants the required permissions for KMS key management. Here’s an example of a policy that allows a user to manage a specific KMS key:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowKeyManagement",
"Effect": "Allow",
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}
Replace the KMS key ARN with the ARN of the KMS key that needs to be managed.
Step 3: Attach the new IAM policy to an IAM user or role that needs to manage the KMS key
Use the following command to attach the new IAM policy to an IAM user or role:
aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn>
Replace <user-name> with the name of the IAM user or role that needs to manage the KMS key, and <policy-arn> with the ARN of the new IAM policy.
Step 4: Remove the KMS key administrator permissions from the existing IAM users or roles
Use the following command to remove the KMS key administrator permissions from the existing IAM users or roles:
aws kms revoke-grant --key-id <key-id> --grant-id <grant-id>
Replace <key-id> with the ID of the KMS key, and <grant-id> with the ID of the grant that needs to be revoked.
Repeat this command for each grant that needs to be revoked.
By following these steps, you can remediate the misconfiguration of KMS key policies that should be designed to limit the number of KMS admins for AWS.
To remediate this misconfiguration in AWS using Python, you can follow these steps:
- First, you need to identify the KMS keys that have overly permissive key policies. You can use the
boto3library in Python to list all the KMS keys and their key policies.
import boto3
# Create a KMS client
kms = boto3.client('kms')
# List all the KMS keys
response = kms.list_keys()
# Loop through each key and print its key policy
for key in response['Keys']:
key_id = key['KeyId']
key_policy = kms.get_key_policy(KeyId=key_id, PolicyName='default')['Policy']
print(f"Key ID: {key_id} \nKey Policy: {key_policy}")
- Once you have identified the KMS keys with overly permissive key policies, you need to update their policies to limit the number of KMS admins. You can use the
put_key_policymethod to update the key policy.
import json
# Define the new key policy
new_policy = {
"Version": "2012-10-17",
"Id": "key-policy-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/Admin1",
"arn:aws:iam::123456789012:user/Admin2"
]
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": "*",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
# Update the key policy for a specific KMS key
response = kms.put_key_policy(
KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
PolicyName='default',
Policy=json.dumps(new_policy)
)
In the above code, you need to replace the KeyId with the ID of the KMS key that you want to update, and replace the AWS ARNs with the ARNs of the IAM users who should have KMS admin permissions.
- Repeat step 2 for all the KMS keys with overly permissive key policies.
By following these steps, you can remediate the misconfiguration of KMS key policies being designed to limit the number of KMS admins in AWS using Python.