Use the Conformity Knowledge Base AI to help improve your Cloud Posture

X-Ray Data Encrypted With KMS Customer Master Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: XRay-001

Ensure that your AWS X-Ray trace data is encrypted with Amazon KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys used by Amazon X-Ray service when there are no customer master keys configured for traces) in order to have more control over trace data encryption/decryption process and meet compliance and/or internal requirements. AWS X-Ray is a managed service that collects data about requests that your cloud application serves, providing tools that you can use to view, filter and gain insights into your app load to identify issues and opportunities for performance optimization.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

By default, Amazon X-Ray encrypts trace data using an AWS managed key named "aws/xray". To gain full control over your AWS X-Ray encryption key management, you need to create your own KMS Customer Master Key (CMK). Amazon KMS service allows you to easily rotate, disable and audit the CMK encryption key used for your X-Ray traces.


Audit

To determine the encryption configuration for your AWS X-Ray traces, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to X-Ray dashboard at https://console.aws.amazon.com/xray/home.

03 In the left navigation panel, under Configuration, select Encryption to access the encryption configuration page available for the X-Ray service.

04 On Encryption configuration page, check the existing configuration set for X-Ray traces. If Use default encryption checkbox is selected instead of Use a customer master key checkbox, the Amazon X-Ray service encrypts trace data using an AWS managed key, created by default by Amazon Web Services within the selected region.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-encryption-config command (OSX/Linux/UNIX) using custom query filters to describe the ID of the KMS Customer Master Key (CMK) used for encryption (if applicable):

aws xray get-encryption-config
	--region us-east-1
	--query 'EncryptionConfig.KeyId'

02 The command output should return the requested KMS key ID or null if there is no CMK used to encrypt X-Ray trace data in the selected AWS region:

null

If get-encryption-config command output returns null, as shown in the example above, Amazon X-Ray is not using a KMS Customer Master Key (CMK) to encrypt trace data within the selected region, instead the service is using the default managed key for encryption.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To configure AWS X-Ray to encrypt traces and related data at rest with your own AWS KMS Customer Master Key (CMK), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click on the Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your X-Ray service is being configured).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt the trace data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the X-Ray trace data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display the following confirmation message: “Your master key was created successfully. Alias: <cmk-alias>”.

12 Once your KMS key is created, navigate to Amazon X-Ray dashboard at https://console.aws.amazon.com/xray/home.

13 In the left navigation panel, under Configuration, select Encryption to access the encryption configuration page for the X-Ray service.

14 On Encryption configuration page, perform the following actions:

  1. Choose Use a customer master key checkbox and select the alias (name) of the KMS Customer Master Key created earlier from the KMS master key dropdown list.
  2. Click Apply changes to apply the encryption configuration changes.

15 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Before you create your AWS KMS Customer Master Key (CMK), you must define a policy that enables the selected IAM users and/or roles to administer the new CMK and to encrypt/decrypt X-Ray trace data using the KMS API. Create a new policy document, name it xray-kms-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": "aws-xray-cmk-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/cc-xray-manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/cc-xray-admin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/cc-xray-admin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. xray-kms-cmk-policy.json) as required command parameter to create the new KMS CMK:

aws kms create-key
	--region us-east-1
	--description 'AWS KMS CMK to encrypt X-Ray trace data'
	--policy file://xray-kms-cmk-policy.json

03 The command output should return the new KMS Customer Master Key metadata. Copy the CMK ARN (highlighted) as this identifier will be required later when you need to specify the key required for trace data encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
        "Description": "AWS KMS CMK to encrypt X-Ray trace data",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517235833.150,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step as value for the "Arn" attribute, to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
	--region us-east-1
	--alias-name alias/xray-trace-data-cmk
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

05 Run put-encryption-config command (OSX/Linux/UNIX) using the ARN of the Customer Master Key (CMK) created earlier as command parameter, to update the encryption configuration for Amazon X-Ray service within the selected AWS region:

aws xray put-encryption-config
	--region us-east-1
	--type KMS
	--key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

06 The command output should return the encryption configuration metadata for AWS X-Ray:

{
    "EncryptionConfig": {
        "Status": "UPDATING",
        "KeyId": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
        "Type": "KMS"
    }
}

07 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.

References

Publication date Oct 29, 2018