AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Web-tier KMS Key Should Be In Use
More Info:
There should be one Amazon KMS Customer Master Key (CMK) created in your AWS account for the web tier in order to protect data that transits your AWS web stack, have full control over data encryption/decryption process, and meet compliance requirements.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the “Web-tier KMS Key Should Be In Use” misconfiguration in AWS using the AWS console, follow these steps:
- Log in to the AWS Management Console.
- Navigate to the AWS Key Management Service (KMS) dashboard.
- Click on “Create key” to create a new KMS key.
- Choose “Symmetric” as the key type and select “AWS managed” for the key material origin.
- Enter a name for the key, such as “Web-tier KMS Key”.
- Under “Key usage permissions”, grant the appropriate permissions to the IAM roles or users that require access to the key.
- Click “Next” to review the key configuration settings, then click “Finish” to create the key.
- Navigate to the Amazon Elastic Compute Cloud (EC2) dashboard.
- Select the instance(s) that require the KMS key.
- In the “Actions” menu, select “Instance Settings” and then “Modify IAM Role”.
- Select the IAM role that requires access to the KMS key, and click “Save”.
- Repeat steps 9-11 for any additional instances that require the KMS key.
By following these steps, you have created a new KMS key and configured the appropriate IAM roles to use it, remediating the “Web-tier KMS Key Should Be In Use” misconfiguration.
The “Web-tier KMS Key Should Be In Use” misconfiguration suggests that the web application is not using a KMS key to encrypt data at rest. To remediate this misconfiguration in AWS using AWS CLI, follow these steps:
-
Identify the KMS key that should be used by the web application. You can either create a new KMS key or use an existing KMS key.
-
Use the AWS CLI to update the encryption configuration of the web application to use the KMS key. The command to update the encryption configuration depends on the type of storage used by the web application. For example, if the web application uses an S3 bucket to store data, you can use the following command:
aws s3 put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"<kms-key-id>"}}]}'
Replace <bucket-name> with the name of the S3 bucket used by the web application and <kms-key-id> with the ID of the KMS key that should be used.
- Verify that the encryption configuration of the web application has been updated to use the KMS key. You can use the AWS CLI to retrieve the encryption configuration of the S3 bucket using the following command:
aws s3 get-bucket-encryption --bucket <bucket-name>
Replace <bucket-name> with the name of the S3 bucket used by the web application.
- Test the web application to ensure that it is still functioning correctly after the encryption configuration has been updated.
By following these steps, you can remediate the “Web-tier KMS Key Should Be In Use” misconfiguration in AWS using AWS CLI.
To remediate the “Web-tier KMS Key Should Be In Use” misconfiguration in AWS using Python, you can follow the below steps:
Step 1: Install the AWS SDK for Python (Boto3) using the following command:
!pip install boto3
Step 2: Create a Boto3 client for AWS Key Management Service (KMS) using the following code:
import boto3
kms_client = boto3.client('kms')
Step 3: Get the list of all the KMS keys in your AWS account using the following code:
response = kms_client.list_keys()
for key in response['Keys']:
print(key['KeyId'])
Step 4: Identify the KMS key that should be used for the web-tier and store its Key ID in a variable.
Step 5: Update your web-tier instances to use the identified KMS key. This can be done by updating the instance launch configuration or updating the instance metadata.
For example, if you are using an EC2 instance, you can update its metadata by using the following code:
import requests
metadata_url = 'http://169.254.169.254/latest/user-data'
metadata = requests.get(metadata_url).text
# Update the KMS key ID in the metadata
updated_metadata = metadata.replace('OLD_KMS_KEY_ID', 'NEW_KMS_KEY_ID')
# Save the updated metadata
requests.put(metadata_url, data=updated_metadata)
Step 6: Verify that the web-tier instances are now using the correct KMS key by checking the instance metadata or by using the AWS CLI or AWS Management Console.
By following these steps, you can remediate the “Web-tier KMS Key Should Be In Use” misconfiguration in AWS using Python.