Event Information

  • The PutKeyPolicy event in AWS Key Management Service (KMS) refers to an action where a key policy is updated or created for a KMS key.
  • This event signifies that a user or an application has modified the permissions and access control policies associated with a specific KMS key.
  • It is important to monitor and analyze PutKeyPolicy events to ensure that the key policies are properly managed and aligned with the security requirements and compliance standards of the organization.

Examples

  1. Unauthorized access: If the PutKeyPolicy operation is misconfigured or misused, it can potentially grant unauthorized access to sensitive data or resources protected by the AWS Key Management Service (KMS). This can lead to data breaches or unauthorized actions being performed on the encrypted data.

  2. Weak access controls: Improperly setting the key policy through PutKeyPolicy can result in weak access controls, allowing unauthorized users or entities to gain access to the encryption keys. This can compromise the confidentiality and integrity of the encrypted data, as well as the overall security of the system.

  3. Misconfiguration of key permissions: When using PutKeyPolicy, it is crucial to properly configure the key permissions to ensure that only authorized users or entities have the necessary access. Misconfiguring the key policy can lead to unintended access or privilege escalation, potentially exposing sensitive data to unauthorized parties.

Remediation

Using Console

  1. Enable AWS CloudTrail:

    • Go to the AWS Management Console and navigate to the CloudTrail service.
    • Click on “Trails” in the left-hand menu and then click on “Create trail”.
    • Provide a name for the trail, select the desired S3 bucket to store the logs, and enable log file encryption using AWS Key Management Service (KMS).
    • Configure the trail settings according to your requirements and click on “Create trail”.

  2. Enable AWS Config:

    • Go to the AWS Management Console and navigate to the AWS Config service.
    • Click on “Get started” if you haven’t enabled AWS Config before.
    • Select the desired AWS resources to be recorded and click on “Next”.
    • Choose the S3 bucket to store the configuration history and enable encryption using AWS KMS.
    • Configure the delivery frequency and click on “Next”.
    • Review the settings and click on “Confirm”.

  3. Enable AWS GuardDuty:

    • Go to the AWS Management Console and navigate to the GuardDuty service.
    • Click on “Get started” if you haven’t enabled GuardDuty before.
    • Choose the AWS regions to enable GuardDuty and click on “Next”.
    • Review the settings and click on “Enable GuardDuty”.

Note: These steps provide a high-level overview of enabling the mentioned services in AWS console. It is recommended to refer to the official AWS documentation for detailed instructions and best practices.

Using CLI

To remediate the issues related to AWS KMS using AWS CLI, you can follow these steps:

  1. Enable AWS KMS key rotation:

    • Use the enable-key-rotation command to enable key rotation for a specific AWS KMS key.
    • Example: aws kms enable-key-rotation --key-id <key-id>

  2. Enable AWS KMS key deletion protection:

    • Use the enable-key-deletion command to enable deletion protection for a specific AWS KMS key.
    • Example: aws kms enable-key-deletion --key-id <key-id>

  3. Enable AWS KMS key usage audit logging:

    • Use the enable-key-usage-logging command to enable key usage audit logging for a specific AWS KMS key.
    • Example: aws kms enable-key-usage-logging --key-id <key-id>

Note: Replace <key-id> with the actual ID of the AWS KMS key you want to remediate.

Using Python

To remediate the issues related to AWS KMS using Python, you can follow these steps:

  1. Enable AWS CloudTrail for KMS:

    • Use the boto3 library to create a new CloudTrail trail for KMS.
    • Set the kms:CreateKey and kms:EnableKeyRotation actions as the trail’s event selectors.
    • Specify the desired S3 bucket to store the CloudTrail logs.
    • Here’s an example Python script:
    import boto3

def enable_cloudtrail_kms():
    client = boto3.client('cloudtrail')
    response = client.create_trail(
        Name='kms-trail',
        S3BucketName='your-bucket-name',
        EventSelectors=[
            {
                'ReadWriteType': 'All',
                'IncludeManagementEvents': True,
                'DataResources': [
                    {
                        'Type': 'AWS::KMS::Key',
                        'Values': ['arn:aws:kms:us-west-2:123456789012:key/your-key-id']
                    },
                ]
            },
        ]
    )
    print(response)

enable_cloudtrail_kms()

  2. Enable AWS Config for KMS:

    • Use the boto3 library to create a new AWS Config rule for KMS.
    • Set the rule’s scope to the desired AWS resources (e.g., KMS keys).
    • Specify the desired AWS Config rule parameters.
    • Here’s an example Python script:
    import boto3

def enable_awsconfig_kms():
    client = boto3.client('config')
    response = client.put_config_rule(
        ConfigRule={
            'ConfigRuleName': 'kms-rule',
            'Scope': {
                'ComplianceResourceTypes': [
                    'AWS::KMS::Key'
                ]
            },
            'Source': {
                'Owner': 'AWS',
                'SourceIdentifier': 'KMS_KEY_ROTATION_ENABLED'
            },
            'InputParameters': '{}',
            'MaximumExecutionFrequency': 'TwentyFour_Hours'
        }
    )
    print(response)

enable_awsconfig_kms()

  3. Enable AWS Security Hub for KMS:

    • Use the boto3 library to enable AWS Security Hub for KMS.
    • Specify the desired KMS key as a resource in the Security Hub findings.
    • Here’s an example Python script:
    import boto3

def enable_securityhub_kms():
    client = boto3.client('securityhub')
    response = client.batch_enable_standards(
        StandardsSubscriptionRequests=[
            {
                'StandardsArn': 'arn:aws:securityhub:us-west-2::standard/aws-foundational-security-best-practices/v/1.0.0',
                'StandardsInput': '{}'
            },
        ]
    )
    print(response)

enable_securityhub_kms()