Enable Encryption for AWS Comprehend Analysis Job Results

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: Comprehend-001

Ensure that encryption at rest using Amazon KMS is enabled for your AWS Comprehend analysis job results in order to secure private data and meet compliance requirements for data-at-rest encryption. Amazon Comprehend is a Natural Language Processing (NLP) service that uses machine learning to find insights and relationships in text documents.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Enabling encryption at rest using Amazon Key Management Service (KMS) for AWS Comprehend analysis job results provides an additional layer of data protection by helping secure your NLP applications data against unauthorized access to the underlying storage (i.e. Amazon S3).


Audit

To determine if your Amazon Comprehend jobs are configured to encrypt their output data sent to S3, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Comprehend service dashboard at https://console.aws.amazon.com/comprehend/.

03 In the navigation panel, under Amazon Comprehend, choose Analysis jobs.

04 Click on the name (link) of the analysis job that you want to examine, to access the resource configuration details.

05 Within Output section, check the Encryption configuration attribute value. If the Encryption attribute does not have any value, the output data resulted from the selected Amazon Comprehend analysis job, stored in Amazon S3, is not encrypted at rest.

  • If output is not available, that's because the document analysis job did not complete. Check the Response under Application integration section, if you can't find the KmsKeyId attribute, the output data resulted from the selected Amazon Comprehend analysis job, stored in Amazon S3, is not encrypted at rest.

06 Repeat step no. 4 and 5 for each Amazon Comprehend job available in the current AWS region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

Note: As example, this audit section demonstrates how to determine the encryption configuration of the entity detection jobs managed by Amazon Comprehend.

01 Execute list-entities-detection-jobs command (OSX/Linux/UNIX) using custom query filters to expose the IDs of the entity detection jobs created with Amazon Comprehend in the selected AWS region:

aws comprehend list-entities-detection-jobs
	--region us-east-1
	--query 'EntitiesDetectionJobPropertiesList[*].JobId'

02 The command output should return the requested AWS Comprehend job IDs:

[
    "fabcd1234abcd1234abcd1234abcd12f",
    "faaaabbbbccccdddd01234567890123f"
]

03 Run describe-entities-detection-job command (OSX/Linux/UNIX) using the ID of the entity detection job that you want to examine as identifier parameter and custom query filters to return the ARN of the KMS key used to encrypt the data resulted from the selected AWS Comprehend job:

aws comprehend describe-entities-detection-job
	--region us-east-1
	--job-id fabcd1234abcd1234abcd1234abcd12f
	--query 'EntitiesDetectionJobProperties.OutputDataConfig.KmsKeyId'

04 The command output should return the requested configuration information:

null

If describe-entities-detection-job command output returns null, as shown in the example above, there is no KMS key used to encrypt entity detection job data, therefore the output data resulted from the selected Amazon Comprehend analysis job, stored in Amazon S3, is not encrypted at rest.

05 Repeat step no. 3 and 4 for each Amazon Comprehend job available within the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable data-at-rest encryption for AWS Comprehend analysis job results that are stored in Amazon S3, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

03 In the left navigation panel click Customer managed keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your non-compliant AWS Comprehend analysis job was created).

05 Click Create Key button from the dashboard top menu.

06 In the Key type section, select Symmetric, then click the Next Step button.

07 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

08 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

09 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt your Amazon Comprehend data with the AWS KMS API.

10 (Optional) Under Other AWS accounts section, click Add another AWS account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the AWS Comprehend job data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

11 Click Next Step to continue.

12 Under Review and edit key policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: "Your customer master key was created with alias <kms-cmk-alias> and key ID <kms-cmk-id>".

13 Once the KMS CMK has been created, navigate to Comprehend service dashboard at https://console.aws.amazon.com/comprehend/.

14 In the navigation panel, under Amazon Comprehend, choose Analysis jobs.

15 Select the analysis job that you want to reconfigure, then click Copy to initiate the setup process.

16 On the Create analysis job page, perform the following:

  1. Provide a unique name for the new analysis job in the Name box available within the Job settings section.
  2. In the Output data section, click on the Encryption button to shown the encryption configuration panel. Select Use key from current account option and choose the Amazon KMS key created earlier in the process from the KMS key ID dropdown list.
  3. Click Create job to launch your new Amazon Comprehend analysis job.

17 Repeat steps no. 15 - 17 for each Amazon Comprehend job available in the current AWS region.

18 Change the AWS region from the navigation bar to repeat the entire remediation/resolution process for the other regions.

Using AWS CLI

Note: As example, this remediation section demonstrates how to enable encryption at rest using AWS KMS keys for entity detection jobs managed by Amazon Comprehend.

01 Define the access policy that enables your selected IAM users and/or roles to manage the new KMS Customer Master Key and to encrypt/decrypt Amazon Comprehend output data using the AWS KMS API. Create a new policy document called comprehend-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": "aws-comprehend-job-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonComprehendManager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/ComprehendAdmin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/ComprehendAdmin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. comprehend-cmk-policy.json) as --policy parameter value to create the new AWS KMS Customer Master Key:

aws kms create-key
	--region us-east-1
	--description 'KMS CMK for encrypting AWS Comprehend output data'
	--policy file://comprehend-cmk-policy.json

03 The command output should return the new KMS CMK metadata. Copy the key Amazon Resource Name (Arn parameter value - highlighted) as this information will be required later when you need to specify the key required for Amazon Comprehend output data encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "abcdabcd-1234-1234-1234-abcd1234abcd",
        "Description": "KMS CMK for encrypting AWS Comprehend output data"
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517239711.350,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
	--region us-east-1
	--alias-name alias/ComprehendCMK
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd

05 Run describe-entities-detection-job command (OSX/Linux/UNIX) using the ID of the entity detection job that you want to copy as identifier parameter to return the configuration information available for the selected AWS Comprehend job:

aws comprehend describe-entities-detection-job
	--region us-east-1
	--job-id fabcd1234abcd1234abcd1234abcd12f

06 The command output should return the requested configuration information:

{
    "EntitiesDetectionJobProperties": {
        "InputDataConfig": {
            "S3Uri": "s3://cc-docs-us-east-1/AsyncBatchJobs/",
            "InputFormat": "ONE_DOC_PER_LINE"
        },
        "DataAccessRoleArn": "arn:aws:iam::123456789012:role/service-role/AmazonComprehendServiceRole-cloudconformity",
        "LanguageCode": "en",
        "JobId": "fabcd1234abcd1234abcd1234abcd12f",
        "JobStatus": "COMPLETED",
        "JobName": "cc-nlp-project-job",
        "SubmitTime": 1555155472.561,
        "OutputDataConfig": {
            "S3Uri": "s3://cc-nlp-project-data/123456789012-NER-fabcd1234abcd1234abcd1234abcd12f/output/output.tar.gz"
        },
        "EndTime": 1555155999.091
    }
}

07 Run start-entities-detection-job command (OSX/Linux/UNIX) to launch a new Amazon Comprehend entity detection job using the configuration information returned at the previous step and the ARN of the AWS KMS key created earlier in the process for encrypting job output data:

aws comprehend start-entities-detection-job
	--region us-east-1
	--job-name cc-new-nlp-project-job
	--language-code en
	--input-data-config S3Uri="s3://cc-docs-us-east-1/AsyncBatchJobs/",InputFormat="ONE_DOC_PER_LINE"
	--output-data-config S3Uri="s3://cc-nlp-project-data/123456789012-NER-fabcd1234abcd1234abcd1234abcd12f/output/output.tar.gz",KmsKeyId="arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd"
	--data-access-role-arn arn:aws:iam::123456789012:role/service-role/AmazonComprehendServiceRole-cloudconformity

08 The command output should return the new Amazon Comprehend job metadata:

{
    "JobStatus": "SUBMITTED",
    "JobId": "f12341234abcdabcd12341234abcdabf"
}

09 Repeat steps no. 5 – 8 for each Amazon Comprehend job available in the current AWS region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the entire process for other regions.

References

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Encryption for AWS Comprehend Analysis Job Results

Risk level: High