AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Use Customer-Managed Keys instead of AWS-managed Keys
More Info:
Your RDS database instances should be using KMS CMK customer-managed keys rather than AWS managed-keys in order to have more granular control over your data-at-rest encryption/decryption process.
Risk Level
Medium
Address
Security
Compliance Standards
GDPR, NIST, AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the misconfiguration of using AWS-managed keys instead of Customer-Managed Keys for AWS RDS using the AWS console, follow these steps:
-
Create a Customer-Managed Key (CMK):
- Go to the AWS Key Management Service (KMS) console.
- Click on “Create key” to create a new CMK.
- Choose the key creation method (Symmetric key or Asymmetric key) based on your requirements.
- Define key administrative permissions and key usage permissions.
- Click on “Finish” to create the CMK.
-
Update the RDS Instance to use the Customer-Managed Key:
- Go to the Amazon RDS console.
- Select the RDS instance for which you want to update the encryption key.
- Click on “Modify” to modify the instance settings.
- In the “Encryption” section, choose the option to encrypt using a Customer-Managed Key.
- Select the Customer-Managed Key (CMK) that you created in step 1.
- Click on “Continue” and review the changes.
- Click on “Modify DB Instance” to apply the changes.
-
Monitor the Encryption Key Update:
- Once you have modified the RDS instance to use the Customer-Managed Key, monitor the instance to ensure that the encryption key update is successful.
- Check the RDS instance status and logs for any errors related to the encryption key update.
- Verify that the RDS instance is using the Customer-Managed Key for encryption.
By following these steps, you can remediate the misconfiguration of using AWS-managed keys instead of Customer-Managed Keys for AWS RDS using the AWS console.
To remediate the misconfiguration of using AWS-managed keys for AWS RDS instances and switch to using Customer-Managed Keys, you can follow these steps using the AWS CLI:
-
Create a Customer Managed Key (CMK):
- Use the AWS Key Management Service (KMS) to create a new Customer Managed Key (CMK) if you don’t already have one.
- Run the following command to create a CMK:
aws kms create-key --description "Customer Managed Key for RDS Encryption" - Note down the
KeyIdvalue from the output, as you will need it in the next steps.
-
Enable encryption with the Customer Managed Key for the RDS instance:
- Modify the RDS instance to use the newly created CMK for encryption.
- Run the following command to modify the RDS instance to use the Customer Managed Key:
aws rds modify-db-instance --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --kms-key-id YOUR_CMK_KEY_ID - Replace
YOUR_DB_INSTANCE_IDENTIFIERwith the identifier of your RDS instance andYOUR_CMK_KEY_IDwith theKeyIdof the Customer Managed Key created in step 1.
-
Verify the encryption settings:
- Confirm that the RDS instance is now using the Customer Managed Key for encryption.
- Run the following command to describe the RDS instance and verify the encryption settings:
aws rds describe-db-instances --db-instance-identifier YOUR_DB_INSTANCE_IDENTIFIER --query "DBInstances[*].KmsKeyId" - Ensure that the
KmsKeyIdreturned in the output matches theKeyIdof the Customer Managed Key.
-
Monitor the RDS instance:
- Monitor the RDS instance to ensure that there are no issues after switching to Customer Managed Key encryption.
- Check the RDS instance logs and performance metrics to ensure everything is functioning as expected.
By following these steps, you can remediate the misconfiguration of using AWS-managed keys for AWS RDS instances and switch to using Customer-Managed Keys successfully using the AWS CLI.
To remediate this misconfiguration for AWS RDS using Python, you can follow these steps:
-
Create a Customer-Managed Key (CMK) in AWS Key Management Service (KMS):
- Use the
boto3library in Python to create a new CMK in AWS KMS. Here is an example code snippet to create a CMK:
import boto3 kms_client = boto3.client('kms') response = kms_client.create_key( Description='My Customer-Managed Key', KeyUsage='ENCRYPT_DECRYPT', Origin='AWS_KMS', ) cmk_id = response['KeyMetadata']['KeyId'] - Use the
-
Update the RDS instance to use the Customer-Managed Key:
- Use the
boto3library to modify the RDS instance to use the newly created CMK. Here is an example code snippet to update the RDS instance to use the CMK:
rds_client = boto3.client('rds') response = rds_client.modify_db_instance( DBInstanceIdentifier='your-rds-instance-id', KmsKeyId=cmk_id, ) - Use the
-
Verify the changes:
- You can verify that the RDS instance is now using the Customer-Managed Key by describing the RDS instance and checking the
KmsKeyIdattribute. Here is an example code snippet to describe the RDS instance:
response = rds_client.describe_db_instances( DBInstanceIdentifier='your-rds-instance-id', ) kms_key_id = response['DBInstances'][0]['KmsKeyId'] print(f"KMS Key ID used by RDS instance: {kms_key_id}") - You can verify that the RDS instance is now using the Customer-Managed Key by describing the RDS instance and checking the
By following these steps and running the Python code, you can remediate the misconfiguration by using a Customer-Managed Key instead of AWS-managed Keys for your AWS RDS instance.