Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Existence of Specific AWS KMS CMKs

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: KMS-008

Ensure that a specific list of AWS KMS Customer Master Keys (CMKs) are available for use in your AWS account in order to meet strict security and compliance requirements in your organization. Prior to running this rule by the Cloud Conformity engine, the list of specific KMS Customer Master Keys must be defined in the rule settings, on the Cloud Conformity account dashboard.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using the specified set of Amazon KMS Customer Master Keys (CMKs) to encrypt data within your AWS account can provide a better control over encryption/decryption process and fulfill compliance requirements when it comes to data protection in your organization.


Audit

To determine if the KMS keys specified in the conformity rule settings (e.g. "highlyprotected", "protected", "internal", etc) are available for use in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Check for Existence of Specific AWS KMS CMKs conformity rule settings and identify the name (alias) of each Customer Master Key (CMK) designated to encrypt data in your AWS account

02 Sign in to AWS Management Console.

03 Navigate to Identity and Access Management (KMS) dashboard at https://console.aws.amazon.com/kms/.

04 In the left navigation panel, click Encryption Keys.

05 Choose an AWS region from the Filter dropdown list.

06 Use the Search box available in the dashboard top menu to search for each key name (i.e. alias) identified at step no. 1, specified in the conformity rule settings.

07 Change the AWS region from the Filter dropdown list to check for existence of specific CMKs in other regions. If an Amazon KMS Customer Master Key (CMK) is returned for each key alias/name specified in the rule settings, the list of specific KMS Customer Master Keys available in your AWS account is compliant, otherwise the list is non-compliant.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Check for Existence of Specific AWS KMS CMKs conformity rule settings and identify the name (alias) of each Customer Master Key (CMK) designated to encrypt data in your AWS account

02 Run list-aliases command (OSX/Linux/UNIX) with custom query filters to return the aliases and the IDS of all the KMS keys available in the selected AWS region:

aws kms list-aliases
	--region us-east-1
	--output table
	--query 'Aliases[*].AliasName'

03 The command output should return a table with the existing key aliases (names):

---------------------------------
|          ListAliases          |
+-------------------------------+
|  alias/cc-protected-key       |
|  alias/cc-internal-key        |
|  alias/cc-prod-manager-key    |
|  alias/aws/backup             |
|  alias/aws/dynamodb           |
|  alias/aws/kinesis            |
|  alias/aws/lambda             |
|  alias/aws/rds                |
|  alias/aws/redshift           |
+-------------------------------+

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 and 2 to check for existence of specific CMKs in other regions. If an Amazon KMS Customer Master Key (CMK) is returned for each key alias specified in the conformity rule settings, the list of specific KMS Customer Master Keys available in your AWS account is compliant, otherwise the list of CMKs is non-compliant.

Remediation / Resolution

To create the required Amazon KMS Customer Master Keys (CMKs), defined in the conformity rule settings, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Check for Existence of Specific AWS KMS CMKs rule settings and copy the name (alias) of the Customer Master Key that you want to create in your AWS account.

02 Sign in to AWS Management Console.

03 Navigate to Identity and Access Management (KMS) dashboard at https://console.aws.amazon.com/kms/.

04 In the left navigation panel, click Encryption Keys.

05 Select the appropriate AWS region from the Filter dropdown menu (must match the region where the cloud resources that will use the key are provisioned).

06 Click Create Key button from the dashboard top menu to start the setup process.

07 On Create Alias and Description page, paste the alias copied at step no. 1 into the Alias (required) box and enter a short description for the new key in the Description box. Click Next Step to continue.

08 On Add Tags page, create tags to manage the identity of the new KMS key (optional). Click Next Step to continue the setup process.

09 On Define Key Administrative Permissions page, select which IAM users and/or roles can administer the new KMS CMK, then click Next Step.

10 On Define Key Usage Permissions page, select which IAM users and/or roles can use the key to encrypt/decrypt data with the AWS KMS API. If you want external AWS accounts to use the key to encrypt and decrypt data, in the External Accounts section, click Add an External Account and enter the external account ID to add the AWS account that can use the CMK. The owners of the external AWS accounts must also provide access to your CMK by creating policies for their IAM users. Click Next Step to continue.

11 On Preview Key Policy page, review the predefined access policy then click Finish to create the new Amazon KMS Customer Master Key (CMK). Once the key is successfully created, the Key Management Service (KMS) service dashboard will display the following confirmation message: “Your master key was created successfully. Alias: <key-name>”

12 Repeat steps no. 6 – 11 to create other specific AWS KMS Customer Master Keys to be used in the selected region.

13 If required, change the AWS region from the Filter dropdown menu and repeat the process for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Check for Existence of Specific AWS KMS CMKs rule settings and copy the alias (name) of the Customer Master Key (CMK) that you want to create in your AWS account.

02 Define the access policy that enables the specified AWS IAM users and/or roles to administer the new CMK and the selected IAM users and/or roles to encrypt/decrypt data using the Key Management Service (KMS) API. Create a new JSON document, name it cmk-access-policy.json and paste the following data (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Id": "custom-cmk-access-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}

03 Run create-key command (OSX/Linux/UNIX) using the policy document defined at the previous step (i.e. cmk-access-policy.json), to create the required Amazon KMS Customer Master Key (CMK) in the selected AWS region:

aws kms create-key
	--region us-east-1
	--description 'Specific KMS CMK for encrypting production data'
	--policy file://cmk-access-policy.json

04 The command output should return the new KMS CMK metadata:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "aabbccdd-1234-abcd-1234-aabbccdd1234",
        "Description": "Specific KMS CMK for encrypting production data",
        "KeyManager": "CUSTOMER",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 15198439962.150,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/aabbccdd-1234-abcd-1234-aabbccdd1234",
        "AWSAccountId": "123456789012"
    }
}

05 Run create-alias command (OSX/Linux/UNIX) using the ARN of the newly created key to attach the alias copied at step no. 1 to the new Customer Master Key. The alias must always start with the prefix, i.e. "alias/" (the command does not produce an output):

aws kms create-alias
	--alias-name alias/cc-highlyprotected-key
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/aabbccdd-1234-abcd-1234-aabbccdd1234

06 Repeat steps no. 2 – 5 to create other specific Amazon KMS Customer Master Keys to be used in the selected AWS region.

07 If required, change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Mar 1, 2019