Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use KMS Customer Master Keys for AWS Storage Gateway Tapes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Amazon Storage Gateway service is using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys for tape data encryption, in order to have a fine-grained control over data-at-rest encryption/decryption process and meet regulatory and security requirements.

Security

When you use your own AWS KMS Customer Master Keys (CMKs) to encrypt data available on Amazon Storage Gateway tapes, you have full control over who can use the encryption keys to access your data. Amazon Key Management Service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS Storage Gateway tapes.


Audit

To determine the encryption configuration for your AWS Storage Gateway tapes, perform the following:

Note: Verifying encryption configuration for Amazon Storage Gateway tapes using AWS Management Console is not currently supported, the feature can be configured only through AWS Command Line Interface (CLI).

Using AWS CLI

01 Run list-tapes command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of the AWS Storage Gateway tapes available in the selected region:

aws storagegateway list-tapes
    --region us-east-1
    --query 'TapeInfos[*].TapeARN'

02 The command output should return an array with the requested Storage Gateway tape ARNs:

[
    "arn:aws:storagegateway:us-east-1:123456789012:tape/ABCD01234",
    "arn:aws:storagegateway:us-east-1:123456789012:tape/1234ABCD0",
    "arn:aws:storagegateway:us-east-1:123456789012:tape/A1B2C3D40",
    "arn:aws:storagegateway:us-east-1:123456789012:tape/AABBCCDD0"
]

03 Run describe-tapes command (OSX/Linux/UNIX) using the ARN of the virtual tape that you want to examine as identifier and custom query filters to return the KMS key used for data encryption by the selected Amazon Storage Gateway tapes:

aws storagegateway describe-tapes
    --region us-east-1
    --gateway-arn arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-AABBCCDD
    --tape-arns arn:aws:storagegateway:us-east-1:123456789012:tape/ABCD01234
    --query 'Tapes[*].KMSKey'

04 The command output should return the ARN of the KMS Customer Master Key used by the selected tape:

[]

If describe-tapes command output returns an empty array, i.e. [], the selected Amazon Storage Gateway virtual tape is encrypting data at rest using the default key instead of a customer-managed KMS Customer Master Key (CMK).

05 Repeat step no. 3 and 4 to determine the encryption configuration for other Storage Gateway tapes available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

Data encryption using KMS Customer Master Keys (CMKs) cannot be enabled for existing Amazon Storage Gateway virtual tapes. To encrypt cached/stored tape data using your own Customer Master Keys, you have to re-create the specified tapes. To create the required AWS KMS CMK and relaunch the required virtual tapes, perform the following:

Note: Creating and configuring Amazon Storage Gateway tapes using the AWS Management Console is not currently supported.

Using AWS CLI

01 Define the access policy that enables the specified IAM users and/or roles to manage the new KMS Customer Master Key and to encrypt and decrypt tape data using the AWS KMS API. Create a new policy document, name it virtual-tape-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": "sg-volume-custom-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/SGTapeManager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/SGTapeAdmin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/SGTapeAdmin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. virtual-tape-cmk-policy.json) as command parameter to create the new Amazon KMS CMK:

aws kms create-key
    --region us-east-1
    --description 'KMS CMK for encrypting virtual tape data.'
    --policy file://virtual-tape-cmk-policy.json

03 The command output should return the new KMS CMK metadata. Copy the key Amazon Resource Name (Arn parameter value - highlighted) as this information will be required later when you have to specify the key required for tape data encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "abcd1234-abcd-1234-abcd-1234ancd1234",
        "Description": "KMS CMK for encrypting virtual tape data.",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517237395.290,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234ancd1234",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to add an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
    --region us-east-1
    --alias-name alias/SGTapeCustomCMK
    --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234ancd1234

05 Run create-tapes command (OSX/Linux/UNIX) to create a new virtual tape for the specified tape gateway. Use the ARN of the newly created Customer Master Key (CMK) as value for the --kms-key parameter, to configure data encryption using customer-managed keys:

aws storagegateway create-tapes
    --region us-east-1
    --gateway-arn arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12AB34CD
    --tape-size-in-bytes 161061273600
    --client-token AAAABBBB
    --num-tapes-to-create 2
    --tape-barcode-prefix ABC
    --kms-encrypted
    --kms-key arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234ancd1234

06 The output should return the create-tapes command request metadata:

{
    "TapeARNs": [
        "arn:aws:storagegateway:us-east-1:123456789012:tape/AABBCCDD0",
        "arn:aws:storagegateway:us-east-1:123456789012:tape/12340ABCD"
    ]
}

07 Repeat step no. 5 to configure encryption at rest using AWS KMS Customer Master Keys for other Amazon Storage Gateway volumes available in the selected region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the process for other regions.

References

Publication date Mar 1, 2019