X-Ray Data Encrypted With KMS Customer Master Keys

01 Sign in to AWS Management Console.

02 Navigate to X-Ray dashboard at https://console.aws.amazon.com/xray/home.

03 In the left navigation panel, under Configuration, select Encryption to access the encryption configuration page available for the X-Ray service.

04 On Encryption configuration page, check the existing configuration set for X-Ray traces. If Use default encryption checkbox is selected instead of Use a customer master key checkbox, the Amazon X-Ray service encrypts trace data using an AWS managed key, created by default by Amazon Web Services within the selected region.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

01 Run get-encryption-config command (OSX/Linux/UNIX) using custom query filters to describe the ID of the KMS Customer Master Key (CMK) used for encryption (if applicable):

aws xray get-encryption-config
	--region us-east-1
	--query 'EncryptionConfig.KeyId'

02 The command output should return the requested KMS key ID or null if there is no CMK used to encrypt X-Ray trace data in the selected AWS region:

null

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click on the Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your X-Ray service is being configured).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt the trace data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the X-Ray trace data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display the following confirmation message: “Your master key was created successfully. Alias: <cmk-alias>”.

12 Once your KMS key is created, navigate to Amazon X-Ray dashboard at https://console.aws.amazon.com/xray/home.

13 In the left navigation panel, under Configuration, select Encryption to access the encryption configuration page for the X-Ray service.

14 On Encryption configuration page, perform the following actions:

1. Choose Use a customer master key checkbox and select the alias (name) of the KMS Customer Master Key created earlier from the KMS master key dropdown list.
2. Click Apply changes to apply the encryption configuration changes.

15 Change the AWS region from the navigation bar and repeat the entire process for other regions.

01 Before you create your AWS KMS Customer Master Key (CMK), you must define a policy that enables the selected IAM users and/or roles to administer the new CMK and to encrypt/decrypt X-Ray trace data using the KMS API. Create a new policy document, name it xray-kms-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": "aws-xray-cmk-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/cc-xray-manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/cc-xray-admin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/cc-xray-admin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. xray-kms-cmk-policy.json) as required command parameter to create the new KMS CMK:

aws kms create-key
	--region us-east-1
	--description 'AWS KMS CMK to encrypt X-Ray trace data'
	--policy file://xray-kms-cmk-policy.json

03 The command output should return the new KMS Customer Master Key metadata. Copy the CMK ARN (highlighted) as this identifier will be required later when you need to specify the key required for trace data encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
        "Description": "AWS KMS CMK to encrypt X-Ray trace data",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517235833.150,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step as value for the "Arn" attribute, to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
	--region us-east-1
	--alias-name alias/xray-trace-data-cmk
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

05 Run put-encryption-config command (OSX/Linux/UNIX) using the ARN of the Customer Master Key (CMK) created earlier as command parameter, to update the encryption configuration for Amazon X-Ray service within the selected AWS region:

aws xray put-encryption-config
	--region us-east-1
	--type KMS
	--key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

06 The command output should return the encryption configuration metadata for AWS X-Ray:

{
    "EncryptionConfig": {
        "Status": "UPDATING",
        "KeyId": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
        "Type": "KMS"
    }
}

07 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.