AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Unused Customer Master Key Should Be Removed
More Info:
Any disabled KMS Customer Master Keys in your AWS account should be removed in order to lower the cost of your monthly AWS bill.
Risk Level
Medium
Address
Operational Maturity, Cost optimization, Security
Compliance Standards
NIST
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the issue of an unused Customer Master Key in AWS:
- Log in to the AWS Management Console.
- Go to the AWS Key Management Service (KMS) console.
- In the left navigation pane, select “Customer managed keys.”
- Find the Customer Master Key (CMK) that is not being used and select it.
- In the “Key state” section, check if the key is enabled or disabled. If the key is enabled, disable it by selecting “Disable key” from the “Actions” dropdown menu.
- Once the key is disabled, select “Schedule key deletion” from the “Actions” dropdown menu.
- In the “Schedule key deletion” dialog box, specify the number of days for which you want to retain the key before it is deleted permanently. You can select a minimum of 7 days and a maximum of 30 days.
- Click on the “Schedule key deletion” button to schedule the deletion of the key.
By following these steps, you can remediate the issue of an unused Customer Master Key in AWS and ensure that your cloud environment is secure.
To remediate the misconfiguration of an unused customer master key in AWS using AWS CLI, you can follow these steps:
-
Open your AWS CLI and run the following command to list all the Customer Master Keys (CMKs) in your account:
aws kms list-keysThis command will return a list of all the CMKs in your account.
-
Identify the unused CMK that you want to remove and make sure that it is not being used by any resources or services in your account.
-
Run the following command to disable the CMK:
aws kms disable-key --key-id <key-id>Replace
<key-id>with the ID of the CMK that you want to disable. -
After disabling the CMK, run the following command to schedule the deletion of the CMK:
aws kms schedule-key-deletion --key-id <key-id> --pending-window-in-days 7Replace
<key-id>with the ID of the CMK that you want to delete and--pending-window-in-dayswith the number of days (between 7 and 30) that you want to wait before the CMK is permanently deleted. -
Verify that the CMK has been scheduled for deletion by running the following command:
aws kms list-scheduled-key-deletionsThis command will return a list of all the CMKs that are scheduled for deletion.
-
Once the scheduled deletion time has passed, the CMK will be permanently deleted from your account.
Note: Before deleting any CMK, it is important to ensure that it is not being used by any resources or services in your account. Deleting a CMK that is being used can cause data loss or service disruption.
To remediate the misconfiguration “Unused Customer Master Key Should Be Removed” in AWS using Python, you can follow the below steps:
- Import the necessary AWS SDKs and modules in Python.
- Use the AWS Key Management Service (KMS) API to list all the customer master keys (CMKs) in your AWS account.
- For each CMK, check if it is in use by any AWS resource or service. If not, delete the CMK.
- To delete a CMK, use the
boto3Python module to call thekms.delete_key()method and pass the CMK ID as a parameter.
Here is a sample Python code that can help you remediate the misconfiguration:
import boto3
# Create a KMS client
kms = boto3.client('kms')
# List all the customer master keys (CMKs)
response = kms.list_keys()
# For each CMK, check if it is in use by any AWS resource or service
for key in response['Keys']:
key_id = key['KeyId']
key_metadata = kms.describe_key(KeyId=key_id)
if not key_metadata['KeyMetadata']['Enabled']:
# If the CMK is disabled, delete it
print(f"Deleting disabled CMK {key_id}...")
kms.schedule_key_deletion(KeyId=key_id)
elif not key_metadata['KeyMetadata']['KeyUsage']:
# If the CMK is not in use, delete it
print(f"Deleting unused CMK {key_id}...")
kms.schedule_key_deletion(KeyId=key_id)
else:
print(f"Skipping CMK {key_id}: in use by {key_metadata['KeyMetadata']['KeyUsage']}")
print("CMK remediation completed.")
Note: Before running the code, make sure you have the necessary AWS credentials and permissions to access the KMS API. Also, make sure to test the code in a non-production environment before implementing it in a production environment.