Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use KMS Customer Master Keys for AWS Storage Gateway Volumes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Amazon Storage Gateway service is using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys) for volume data encryption, in order to have a fine-grained control over data-at-rest encryption/decryption process and meet compliance requirements.

Security

When you use your own AWS KMS Customer Master Keys (CMKs) to encrypt data available on Amazon Storage Gateway volumes (cached or stored volumes), you have full control over who can use the encryption keys to access your data. Amazon Key Management Service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS Storage Gateway volumes.


Audit

To determine the encryption configuration for your AWS Storage Gateway volumes, perform the following actions:

Note: Verifying encryption configuration for Amazon Storage Gateway volumes using AWS Management Console is not currently supported, the feature can be configured only through AWS Command Line Interface (CLI).

Using AWS CLI

01 Run list-volumes command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of the AWS Storage Gateway cached and stored volumes available in the selected region:

aws storagegateway list-volumes
    --region us-east-1
    --query 'VolumeInfos[*].VolumeARN'

02 The command output should return an array with the requested ARNs:

[
"arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/volume/vol-01234ABCD1234ABCD",
"arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/volume/vol-0ABCD1234ABCD1234"
]

03 Based on the type of the volume that you want to examine, cached or stored, execute one of the following commands:

  1. Run describe-cached-iscsi-volumes command (OSX/Linux/UNIX) using the ARN of the volume that you want to examine as identifier and custom query filters to return the KMS key used for data encryption by the selected AWS Storage Gateway cached volume:
    aws storagegateway describe-cached-iscsi-volumes
        --region us-east-1
        --volume-arns arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/volume/vol-01234ABCD1234ABCD
        --query 'CachediSCSIVolumes[*].KMSKey'
    
  2. The command output should return the ARN of the AWS KMS CMK used by the selected volume:
    []
    

    If describe-cached-iscsi-volumes command output returns an empty array, as shown in the example above, the selected Amazon Storage Gateway cached volume is encrypting its data at rest using the default (managed) key instead of a customer-managed Customer Master Key (CMK).
  3. Run describe-stored-iscsi-volumes command (OSX/Linux/UNIX) using the ARN of the volume that you want to examine as identifier and custom query filters to return the KMS key used by the selected AWS Storage Gateway stored volume for data encryption:
    aws storagegateway describe-stored-iscsi-volumes
        --region us-east-1
        --volume-arns arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/volume/vol-0ABCD1234ABCD1234
        --query 'StorediSCSIVolumes[*].KMSKey'
    
  4. The command output should return the ARN of the KMS Customer Master Key used by the selected volume:
    []
    

    If describe-stored-iscsi-volumes command output returns an empty array, as shown in the example above, the selected Amazon Storage Gateway stored volume is encrypting data at rest using the default key instead of a customer-managed Customer Master Key (CMK).

04 Repeat step no. 3 to determine the encryption configuration for other Storage Gateway volumes available in the current region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire process for other regions.

Remediation / Resolution

Encryption at rest using KMS Customer Master Keys (CMKs) cannot be configured for existing Amazon Storage Gateway volumes. To encrypt cached/stored volumes data using your own Customer Master Keys, you have to re-create the specified volumes. To create the required AWS KMS CMK and relaunch the required volumes, perform the following actions:

Note: Creating and configuring Amazon Storage Gateway volumes using the AWS Management Console is not currently supported.

Using AWS CLI

01 Define the access policy that enables the specified IAM users and/or roles to manage the new KMS Customer Master Key and to encrypt/decrypt volume data using the AWS KMS API. Create a new policy document, name it sg-volume-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": "sg-volume-custom-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/SGVolumeManager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/SGVolumeAdmin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/SGVolumeAdmin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. sg-volume-cmk-policy.json) as command parameter to create the new Amazon KMS CMK:

aws kms create-key
    --region us-east-1
    --description 'KMS CMK for encrypting Storage Gateway volume data.'
    --policy file://sg-volume-cmk-policy.json

03 The command output should return the new KMS CMK metadata. Copy the key Amazon Resource Name (Arn parameter value - highlighted) as this information will be required later when you have to specify the key required for volume data encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "1234abcd-abcd-1234-abcd-1234abcd1234",
        "Description": "KMS CMK for encrypting Storage Gateway volume data.",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517237159.150,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-abcd-1234-abcd-1234abcd1234",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not return an output):

aws kms create-alias
    --region us-east-1
    --alias-name alias/SGVolumeCustomCMK
    --target-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-abcd-1234-abcd-1234abcd1234

05 Based on the type of the volume (cached or stored) that you want to re-create, execute one of the following CLI commands:

  1. Run create-cached-iscsi-volume command (OSX/Linux/UNIX) to create a new cached volume for the specified volume gateway. Use the ARN of the newly created Customer Master Key (CMK) as value for the --kms-key parameter, to enable encryption at rest using customer-managed keys:
    aws storagegateway create-cached-iscsi-volume
        --region us-east-1
        --gateway-arn arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234
        --volume-size-in-bytes 161061273600
        --target-name cc-cached-volume
        --network-interface-id 172.30.50.15
        --client-token AABBCCDD
        --kms-encrypted
        --kms-key arn:aws:kms:us-east-1:123456789012:key/1234abcd-abcd-1234-abcd-1234abcd1234
    
  2. The output should return the command request metadata:
    {
        "TargetARN": "arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/target/iqn.1995-15.com.amazon:cc-cached-volume",
        "VolumeARN": "arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/volume/vol-01234AABB1234CCDD"
    }
    
  3. Run create-stored-iscsi-volume command (OSX/Linux/UNIX) to create a new stored volume for the specified AWS Storage Gateway volume gateway. Use the ARN of the Customer Master Key (CMK) created earlier in the process as value for the --kms-key parameter, to enable data encryption using customer-managed keys:
    aws storagegateway create-stored-iscsi-volume
        --region us-east-1
        --gateway-arn arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234
        --target-name cc-stored-volume
        --network-interface-id 172.200.10.75
        --preserve-existing-data
        --disk-id aaaabbbb-cccc-aaaa-bbbb-aaaabbbbcccc
        --kms-encrypted
        --kms-key arn:aws:kms:us-east-1:123456789012:key/1234abcd-abcd-1234-abcd-1234abcd1234
    
  4. The command output should return the create-stored-iscsi-volume request metadata:
    {
        "TargetARN": "arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/target/iqn.1997-10.com.amazon:cc-stored-volume",
        "VolumeSizeInBytes": 161061273600,
        "VolumeARN": "arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12341234/volume/vol-01234123412341234"
    }
    

06 Repeat step no. 5 to configure encryption at rest using AWS KMS Customer Master Keys for other Amazon Storage Gateway volumes available in the selected region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the process for other regions.

References

Publication date Feb 28, 2019