AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Existence Of Specific AWS KMS CMKs
More Info:
Ensure that a specific list of AWS KMS Customer Master Keys (CMKs) are available for use in your AWS account in order to meet strict security and compliance requirements in your organization.
Risk Level
Low
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
The misconfiguration of “Existence of specific AWS KMS CMKs” means that there are AWS KMS Customer Master Keys (CMKs) that should not exist in your AWS account. To remediate this issue, follow the below steps:
- Login to your AWS Management Console.
- Go to the AWS KMS console.
- Click on “Customer managed keys” in the left-hand navigation menu.
- Identify the CMKs that should not exist in your account.
- Select the CMKs that should not exist in your account.
- Click on the “Schedule key deletion” button.
- In the “Schedule key deletion” dialog box, specify the number of days after which the key will be deleted.
- Click on the “Schedule deletion” button.
Once the keys are scheduled for deletion, you can monitor the progress of the deletion process in the AWS KMS console. It is recommended to delete the CMKs that are no longer required to avoid any potential security risks.
The following steps can be taken to remediate the “Existence Of Specific AWS KMS CMKs” misconfiguration for AWS using AWS CLI:
- Identify the specific AWS KMS CMKs that should not exist in your account.
- Use the AWS CLI command
aws kms list-keysto list all the AWS KMS CMKs in your account. - Review the list of AWS KMS CMKs returned by the command and identify any that should not exist.
- Use the AWS CLI command
aws kms schedule-key-deletionto schedule the deletion of any unwanted AWS KMS CMKs. The command requires the ARN of the AWS KMS CMK to be deleted and the number of days until the key is permanently deleted. For example, the command to schedule the deletion of an AWS KMS CMK with the ARNarn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890abin 30 days would be:
aws kms schedule-key-deletion --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab --pending-window-in-days 30
- Repeat steps 4 and 5 for any other unwanted AWS KMS CMKs.
Note: Before deleting any AWS KMS CMKs, ensure that they are not being used by any resources in your account. Otherwise, deleting the key may cause those resources to stop functioning.
The misconfiguration of “Existence Of Specific AWS KMS CMKs” means that certain AWS KMS Customer Master Keys (CMKs) that are required for encryption or decryption of data are missing. To remediate this issue in AWS using python, follow the below steps:
-
Identify the missing AWS KMS CMKs that are required for encryption or decryption of data. This can be done by checking the logs or by analyzing the code.
-
Create the missing AWS KMS CMKs using the AWS KMS console or AWS CLI. You can use the following AWS CLI command to create a CMK:
aws kms create-key --description "My CMK" --key-usage ENCRYPT_DECRYPT
- Once the CMKs are created, grant the necessary permissions to the AWS services or IAM users that require access to the CMKs. This can be done using the AWS KMS console or AWS CLI. You can use the following AWS CLI command to grant permissions to an IAM user:
aws kms create-grant --key-id <key-id> --grantee-principal <IAM-user-ARN> --operations Encrypt Decrypt
-
Update the code or configuration to use the newly created AWS KMS CMKs for encryption or decryption of data.
-
Test the updated code or configuration to ensure that the data is encrypted or decrypted correctly using the new AWS KMS CMKs.
-
Finally, monitor the logs and alerts to ensure that the issue does not occur again in the future.