Event Information

  • The CreateKey event in AWS Key Management Service (KMS) refers to the action of creating a new customer master key (CMK) in KMS.
  • When this event occurs, it indicates that a new CMK has been created and is ready to be used for encrypting and decrypting data in AWS services and applications.
  • This event is important for auditing and compliance purposes, as it allows organizations to track the creation of new keys and monitor the usage of encryption in their AWS environment.

Examples

  • If the IAM user or role used to create the key does not have the necessary permissions, it can lead to security issues. It is important to ensure that only authorized users or roles have the necessary permissions to create keys in AWS KMS.
  • If the key policy associated with the created key is not properly configured, it can result in security vulnerabilities. The key policy should define the appropriate permissions for key usage and restrict access to only authorized entities.
  • If the key material is not properly protected, it can compromise the security of the key. AWS KMS automatically manages the key material, but it is important to ensure that the key material is securely stored and protected from unauthorized access.

Remediation

Using Console

  1. Identify the affected AWS KMS key:

    • Log in to the AWS Management Console.
    • Go to the AWS KMS service.
    • Navigate to the “Customer managed keys” section.
    • Look for the key mentioned in the previous response.

  2. Update key policy to restrict access:

    • Select the key and click on “Key policy” tab.
    • Review the existing key policy and identify the necessary changes based on the examples provided.
    • Click on “Edit” and modify the key policy accordingly.
    • Ensure that only authorized IAM users or roles have the necessary permissions.
    • Save the changes to update the key policy.

  3. Monitor and review key usage:

    • Enable AWS CloudTrail to capture API calls related to the KMS key.
    • Set up CloudWatch alarms to notify any suspicious or unauthorized key usage.
    • Regularly review the CloudTrail logs and CloudWatch alarms to identify any potential security issues.
    • Take necessary actions to investigate and remediate any unauthorized access or suspicious activities.

Note: It is important to thoroughly understand the existing key policy and the specific requirements of your organization before making any changes. It is recommended to test the changes in a non-production environment before applying them to production keys.

Using CLI

To remediate the issues related to AWS KMS using AWS CLI, you can follow these steps:

  1. Enable AWS KMS key rotation:

    • Use the enable-key-rotation command to enable key rotation for a specific AWS KMS key.
    • Example: aws kms enable-key-rotation --key-id <key-id>

  2. Enable AWS KMS key deletion protection:

    • Use the enable-key-deletion command to enable deletion protection for a specific AWS KMS key.
    • Example: aws kms enable-key-deletion --key-id <key-id>

  3. Enable AWS KMS key usage audit logging:

    • Use the enable-key-usage-logging command to enable key usage audit logging for a specific AWS KMS key.
    • Example: aws kms enable-key-usage-logging --key-id <key-id>

Note: Replace <key-id> with the actual ID of the AWS KMS key you want to remediate.

Using Python

To remediate the issues related to AWS KMS using Python, you can follow these steps:

  1. Enable AWS CloudTrail for KMS:
    • Use the boto3 library to create a new CloudTrail trail for KMS.
    • Set the appropriate parameters such as the S3 bucket to store the logs and the KMS key to encrypt the logs.
    • Enable logging for KMS API events by specifying the appropriate event selectors.
import boto3

def enable_cloudtrail_kms():
    client = boto3.client('cloudtrail')
    
    response = client.create_trail(
        Name='kms-trail',
        S3BucketName='your-s3-bucket',
        KmsKeyId='your-kms-key-id',
        IsMultiRegionTrail=True
    )
    
    response = client.update_trail(
        Name='kms-trail',
        EventSelectors=[
            {
                'ReadWriteType': 'All',
                'IncludeManagementEvents': True,
                'DataResources': [
                    {
                        'Type': 'AWS::KMS::Key',
                        'Values': ['*']
                    }
                ]
            }
        ]
    )
  1. Enable AWS Config for KMS:
    • Use the boto3 library to create a new AWS Config rule for KMS.
    • Specify the rule parameters such as the required KMS key tags and the desired compliance level.
import boto3

def enable_aws_config_kms():
    client = boto3.client('config')
    
    response = client.put_config_rule(
        ConfigRule={
            'ConfigRuleName': 'kms-key-tags',
            'Description': 'Enforce required tags on KMS keys',
            'Scope': {
                'ComplianceResourceTypes': [
                    'AWS::KMS::Key'
                ]
            },
            'Source': {
                'Owner': 'AWS',
                'SourceIdentifier': 'KMS_KEY_TAGS'
            },
            'InputParameters': '{"requiredTags": ["tag1", "tag2"]}',
            'MaximumExecutionFrequency': 'TwentyFour_Hours'
        }
    )
  1. Enable AWS Security Hub for KMS:
    • Use the boto3 library to enable AWS Security Hub for KMS.
    • Specify the appropriate product ARN for KMS.
import boto3

def enable_security_hub_kms():
    client = boto3.client('securityhub')
    
    response = client.batch_enable_standards(
        StandardsSubscriptionRequests=[
            {
                'StandardsArn': 'arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0',
                'ProductArn': 'arn:aws:securityhub:us-west-2:123456789012:product/aws/securityhub'
            }
        ]
    )

Please note that you need to have the necessary permissions and credentials set up to execute these scripts successfully.