Use the Conformity Knowledge Base AI to help improve your Cloud Posture

KMS Customer Master Key (CMK) In Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KMS-001

Ensure that only customer-managed Customer Master Keys (CMKs) are used to encrypt data within your AWS cloud, in order to have complete control over your data encryption/decryption process. Customer-managed Amazon KMS Customer Master Keys (CMKs) can be used to encrypt and decrypt data for multiple AWS services and resources such as S3 buckets, Redshift clusters, EBS volumes, or RDS database instances.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you create your own Amazon KMS Customer Master Keys (CMKs) to encrypt your cloud data, you have full control over who can use the master keys to decrypt and access your data. Amazon KMS service allows you to easily create, rotate, disable, and audit customer-managed Customer Master Keys (CMKs) for your cloud data.

Note: As an example, this conformity rule demonstrates how to implement encryption of data at rest for Amazon EBS volumes using customer-managed Customer Master Keys (CMKs) instead of AWS-managed keys.


Audit

To determine if customer-managed Customer Master Keys (CMKs) are used within your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, choose Volumes.

04 Select the Amazon EBS volume that you want to examine.

05 Choose the Description tab from the console bottom panel and check the KMS Key Aliases attribute value. If the KMS Key Aliases attribute does not have value assigned, the selected Amazon EBS volume is not encrypted. If the KMS Key Aliases value is set to aws/ebs, the selected Amazon EBS volume is encrypted using an AWS-managed master key instead of a customer-managed Customer Master Key (CMK).

06 Repeat steps no. 4 and 5 for each Amazon EBS volume available within the current AWS region.

07 Change the AWS cloud region from the navigation bar to perform the Audit process for other regions.

Using AWS CLI

01 Run describe-volumes command (OSX/Linux/UNIX) with custom query filters to describe the ID of each encrypted Amazon EBS volume provisioned in the selected AWS cloud region:

aws ec2 describe-volumes
  --region us-east-1
  --filters Name=encrypted,Values=true
  --query 'Volumes[*].VolumeId'

02 The command output should return the requested volume ID(s):

[
	"vol-0abcd1234abcd1234",
	"vol-01234abcd1234abcd",
	"vol-0abcdabcd12341234"
]

03 Run describe-volumes command (OSX/Linux/UNIX) using the ID of the EBS volume that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the master key used to encrypt the selected volume:

aws ec2 describe-volumes
  --region us-east-1
  --volume-ids vol-0abcd1234abcd1234
  --query 'Volumes[*].KmsKeyId'

04 The command output should return the requested Amazon Resource Name (ARN). If thedescribe-volumes command output returns an empty array instead (i.e. []), the selected Amazon EBS volume is not encrypted:

[
	"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
]

05 Run describe-key command (OSX/Linux/UNIX) using the ARN of the master key returned at the previous step as the identifier parameter to describe manager of the specified KMS key:

aws kms describe-key
  --region us-east-1
  --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
  --query 'KeyMetadata.KeyManager'

06 The command output should the master key manager ("AWS" if the master key is AWS-managed, and "CUSTOMER" if the key is customer-managed):

"AWS"

If the describe-keycommand output returns "AWS", as shown in the example above, the selected Amazon EBS volume is encrypted using an AWS-managed master key instead of a customer-managed Customer Master Key (CMK).

07 Repeat steps no. 3 – 6 for each Amazon EBS volume available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To implement encryption at rest using customer-managed Customer Master Keys (CMKs) instead of AWS-managed master keys for your Amazon EBS volumes, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"KMSKEY": {
			"Type": "AWS::KMS::Key",
			"Properties": {
				"Enabled": true,
				"KeySpec": "SYMMETRIC_DEFAULT",
				"KeyUsage": "ENCRYPT_DECRYPT",
				"Description": "Symmetric Amazon KMS Customer Master Key",
				"EnableKeyRotation": true,
				"KeyPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Sid": "Enable IAM User Permissions",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:root"
							},
							"Action": "kms:*",
							"Resource": "*"
						},
						{
							"Sid": "Allow access for Key Administrators",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
							},
							"Action": [
								"kms:Create*",
								"kms:Describe*",
								"kms:Enable*",
								"kms:List*",
								"kms:Put*",
								"kms:Update*",
								"kms:Revoke*",
								"kms:Disable*",
								"kms:Get*",
								"kms:Delete*",
								"kms:TagResource",
								"kms:UntagResource",
								"kms:ScheduleKeyDeletion",
								"kms:CancelKeyDeletion"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow use of the key",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:Encrypt",
								"kms:Decrypt",
								"kms:ReEncrypt*",
								"kms:GenerateDataKey*",
								"kms:DescribeKey"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow attachment of persistent resources",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:CreateGrant",
								"kms:ListGrants",
								"kms:RevokeGrant"
							],
							"Resource": "*"
						}
					]
				}
			}
		},
		"KMSKEYAlias": {
			"Type": "AWS::KMS::Alias",
			"Properties": {
				"AliasName": "alias/ProductionKey",
				"TargetKeyId": {
					"Ref": "KMSKEY"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	KMSKEY:
		Type: AWS::KMS::Key
		Properties:
		Enabled: true
		KeySpec: SYMMETRIC_DEFAULT
		KeyUsage: ENCRYPT_DECRYPT
		Description: Symmetric Amazon KMS Customer Master Key
		EnableKeyRotation: true
		KeyPolicy:
			Version: '2012-10-17'
			Statement:
			- Sid: Enable IAM User Permissions
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:root
				Action: kms:*
				Resource: '*'
			- Sid: Allow access for Key Administrators
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:user/kms-key-admin
				Action:
				- kms:Create*
				- kms:Describe*
				- kms:Enable*
				- kms:List*
				- kms:Put*
				- kms:Update*
				- kms:Revoke*
				- kms:Disable*
				- kms:Get*
				- kms:Delete*
				- kms:TagResource
				- kms:UntagResource
				- kms:ScheduleKeyDeletion
				- kms:CancelKeyDeletion
				Resource: '*'
			- Sid: Allow use of the key
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:Encrypt
				- kms:Decrypt
				- kms:ReEncrypt*
				- kms:GenerateDataKey*
				- kms:DescribeKey
				Resource: '*'
			- Sid: Allow attachment of persistent resources
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:CreateGrant
				- kms:ListGrants
				- kms:RevokeGrant
				Resource: '*'
	KMSKEYAlias:
		Type: AWS::KMS::Alias
		Properties:
		AliasName: alias/ProductionKey
		TargetKeyId: !Ref 'KMSKEY'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}
resource "aws_kms_key" "kms-key" {
	is_enabled               = true
	customer_master_key_spec = "SYMMETRIC_DEFAULT"
	key_usage                = "ENCRYPT_DECRYPT"
	description              = "Symmetric Amazon KMS Customer Master Key"
	enable_key_rotation      = true

	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "Enable IAM User Permissions",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:root"
				},
				"Action": "kms:*",
				"Resource": "*"
			},
			{
				"Sid": "Allow access for Key Administrators",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
				},
				"Action": [
					"kms:Create*",
					"kms:Describe*",
					"kms:Enable*",
					"kms:List*",
					"kms:Put*",
					"kms:Update*",
					"kms:Revoke*",
					"kms:Disable*",
					"kms:Get*",
					"kms:Delete*",
					"kms:TagResource",
					"kms:UntagResource",
					"kms:ScheduleKeyDeletion",
					"kms:CancelKeyDeletion"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow use of the key",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:Encrypt",
					"kms:Decrypt",
					"kms:ReEncrypt*",
					"kms:GenerateDataKey*",
					"kms:DescribeKey"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow attachment of persistent resources",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:CreateGrant",
					"kms:ListGrants",
					"kms:RevokeGrant"
				],
				"Resource": "*"
			}
		]
	}
	EOF
}

resource "aws_kms_alias" "kms-key-alias" {
	target_key_id = aws_kms_key.kms-key.key_id
	name          = "alias/ProductionKey"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the navigation panel, under Key Management Service (KMS), select Customer managed keys.

04 Choose the Create Key button from the console top menu to initiate the CMK setup process.

05 For Step 1 Configure key, perform the following actions:

  1. Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
  2. Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
  3. Under Advanced options, for Regionality, select whether to allow the new key to be replicated into other AWS regions.
  4. Choose Next to continue.

06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – _optiona_lbox. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Next to continue the setup process.

07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.

08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your EBS volume data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Next to continue.

09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your new Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

10 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

11 In the navigation panel, under Elastic Block Store, choose Volumes.

12 Select the Amazon EBS volume that you want to encrypt using your new customer-managed Customer Master Key (CMK).

13 Choose the Actions dropdown button from the console top menu and select Create Snapshot.

14 On the Create Snapshot setup page, provide a short description in the Description box, and choose Create Snapshot. Choose Close to return to the EC2 console.

15 In the navigation panel, under Elastic Block Store, choose Snapshots.

16 Select the newly created EBS volume snapshot, choose Actions, and select Copy.

17 In the Copy Snapshot configuration box, select the Encrypt this snapshotcheckbox, choose the customer-managed Customer Master Key (CMK) created earlier in the Remediation section from the Master key dropdown list, and choose Copy. Click Close to return to the Snapshots page.

18 Select the new (copied) EBS volume snapshot, choose Actions, and select Create Volume.

19 On the Create Volume setup page, make sure that the appropriate customer-managed Customer Master Key (CMK) is selected from the Master Key dropdown list, review the volume configuration details, then choose Create Volume. Click Close to return to the Amazon EC2 console.

20 (Optional) To replace the volume encrypted with the default master key with the one encrypted with customer-managed CMK within the Amazon EC2 instance configuration, perform the following operations:

  1. In the navigation panel, under Elastic Block Store,**choose Volumes**.
  2. Select the original Amazon EBS volume, encrypted with the default master key.
  3. Choose the Actions dropdown button from the console top menu and select Detach Volume.
  4. Inside the Detach Volume dialog box, choose Yes, Detach.
  5. Select the newly created Amazon EBS volume, encrypted with the new customer-managed Customer Master Key (CMK).
  6. Choose the Actions button from the console top menu and select Attach Volume.
  7. In the Attach Volume configuration box, select the ID of the EC2 instance detached at step c. from the Instance box, provide the device name required for attachment in the Device box, then choose Attach to attach the new volume.

21 Repeat steps no. 12 – 20 to configure customer-managed Customer Master Keys (CMKs) for other EBS volumes available within the current AWS region.

22 Change the AWS cloud region from the navigation bar to perform the Remediation process for other regions.

Using AWS CLI

01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your EBS data using the KMS API. Create a new policy document (JSON format), name the file ebs-volume-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
	"Id": "protected-cmk-policy",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": "true"
				}
			}
		}
	]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e.ebs-volume-cmk-policy.json) as value for the --policy parameter, to create your new, customer-managed Customer Master Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'Customer Master Key for EBS Volume Encryption'
  --policy file://ebs-volume-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Master Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/EBSVolumeCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

05 Once your new Customer Master Key (CMK) is available for use, re-create the Amazon EBS volume(s) that you want to encrypt using the new CMK. Run create-snapshotcommand (OSX/Linux/UNIX) to create a new snapshot from the specified EBS volume:

aws ec2 create-snapshot
  --region us-east-1
  --volume-id vol-0abcd1234abcd1234

06 The output should return the create-snapshot command request metadata:

{
	"Description": "",
	"Tags": [],
	"Encrypted": true,
	"VolumeId": "vol-0abcd1234abcd1234",
	"State": "pending",
	"VolumeSize": 150,
	"StartTime": "2021-06-20T11:37:31.000Z",
	"Progress": "",
	"OwnerId": "123456789012",
	"SnapshotId": "snap-0abcd1234abcd1234"
}

07 Run copy-snapshot command (OSX/Linux/UNIX) to copy the EBS volume snapshot created at the previous steps. Use the --kms-key-id command parameter to encrypt the snapshot copy with your new customer-managed Customer Master Key (CMK):

aws ec2 copy-snapshot
  --region us-east-1
  --source-region us-east-1
  --source-snapshot-id snap-0abcd1234abcd1234
  --encrypted
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

08 The command output should return the ID of the new EBS volume snapshot:

{
	"SnapshotId": " snap-01234abcd1234abcd"
}

09 Run create-volume command (OSX/Linux/UNIX) to create a new Amazon EBS volume from the encrypted snapshot (copy) created at the previous steps. Make sure to include the --kms-key-id command parameter to encrypt the new EBS volume with your customer-managed Customer Master Key (CMK):

aws ec2 create-volume
  --region us-east-1
  --volume-type gp2
  --size 150
  --availability-zone us-east-1a
  --snapshot-id snap-01234abcd1234abcd
  --encrypted
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

10 The command output should return the metadata available for the new encrypted EBS volume:

{
	"AvailabilityZone": "us-east-1a",
	"MultiAttachEnabled": false,
	"Tags": [],
	"Encrypted": true,
	"VolumeType": "gp2",
	"VolumeId": "vol-0abcdabcdabcdabcd",
	"State": "creating",
	"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234",
	"SnapshotId": "snap-01234abcd1234abcd",
	"Iops": 450,
	"CreateTime": "2021-06-28T11:00:00.000Z",
	"Size": 150
}

11 To replace the volume encrypted with the default master key with the one encrypted with customer-managed CMK within your Amazon EC2 instance configuration, perform the following actions:

  1. Run detach-volume command (OSX/Linux/UNIX) to detach the original Amazon EBS volume, encrypted with the default master key, from the specified EC2 instance:
    aws ec2 detach-volume
      --region us-east-1
      --volume-id vol-0abcd1234abcd1234
    
  2. The output should return the detach-volume command request metadata:
    {
    	"AttachTime": "2021-06-28T12:00:19.000Z",
    	"InstanceId": "i-01234123412341234",
    	"VolumeId": "vol-0abcd1234abcd1234",
    	"State": "detaching",
    	"Device": "/dev/sdf"
    }
    
  3. To attach the new EBS volume (encrypted with the customer-managed CMK) to the selected Amazon EC2 instance, run attach-volume command (OSX/Linux/UNIX):
    aws ec2 attach-volume
      --volume-id vol-0abcdabcdabcdabcd
      --instance-id i-01234123412341234
      --device /dev/sdf
    
  4. The output should return the attach-volume command request metadata:
    {
    	"AttachTime": "2021-06-28T13:00:19.000Z",
    	"InstanceId": "i-01234567890123456",
    	"VolumeId": "vol-0abcdabcdabcdabcd",
    	"State": "attaching",
    	"Device": "/dev/sdf"
    }
    

12 Repeat steps no. 6 – 12 to configure customer-managed Customer Master Keys (CMKs) for other EBS volumes available in the selected AWS region.

13 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 16, 2016

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

KMS Customer Master Key (CMK) In Use

Risk Level: Medium