Existence of Specific AWS KMS CMKs

Risk Level: Low (generally tolerable level of risk)

Rule ID: KMS-008

Ensure that a specific list of AWS KMS Customer Master Keys (CMKs) are available for use in your AWS account in order to meet strict security and compliance requirements in your organization. Before this rule runs, the list of specific KMS Customer Master Keys must be defined in the rule settings, on the TrendAI Vision One™ Cloud Risk Management Dashboard dashboard.

This rule can help you with the following compliance standards:

NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security

Using the specified set of Amazon KMS Customer Master Keys (CMKs) to encrypt data within your AWS account can provide a better control over encryption/decryption process and fulfill compliance requirements when it comes to data protection in your organization.

Audit

To determine if the KMS keys specified in the rule settings (e.g. "highlyprotected", "protected", "internal", etc) are available for use in your AWS account, perform the following actions:

Using AWS Console

Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Check for Existence of Specific AWS KMS CMKs rule settings and identify the name (alias) of each Customer Master Key (CMK) designated to encrypt data in your AWS account
Sign in to AWS Management Console.
Navigate to Identity and Access Management (KMS) dashboard at https://console.aws.amazon.com/kms/.
In the left navigation panel, click Encryption Keys.
Choose an AWS region from the Filter dropdown list.
Use the Search box available in the dashboard top menu to search for each key name (i.e. alias) identified at step no. 1, specified in the rule settings.
Change the AWS region from the Filter dropdown list to check for existence of specific CMKs in other regions. If an Amazon KMS Customer Master Key (CMK) is returned for each key alias/name specified in the rule settings, the list of specific KMS Customer Master Keys available in your AWS account is compliant, otherwise the list is non-compliant.

Using AWS CLI

Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Check for Existence of Specific AWS KMS CMKs rule settings and identify the name (alias) of each Customer Master Key (CMK) designated to encrypt data in your AWS account
Run list-aliases command (OSX/Linux/UNIX) with custom query filters to return the aliases and the IDS of all the KMS keys available in the selected AWS region:
```
aws kms list-aliases
	--region us-east-1
	--output table
	--query 'Aliases[*].AliasName'
```

The command output should return a table with the existing key aliases (names):

---------------------------------
|          ListAliases          |
+-------------------------------+
|  alias/cc-protected-key       |
|  alias/cc-internal-key        |
|  alias/cc-prod-manager-key    |
|  alias/aws/backup             |
|  alias/aws/dynamodb           |
|  alias/aws/kinesis            |
|  alias/aws/lambda             |
|  alias/aws/rds                |
|  alias/aws/redshift           |
+-------------------------------+

Change the AWS region by updating the --region command parameter value and repeat steps no. 1 and 2 to check for existence of specific CMKs in other regions. If an Amazon KMS Customer Master Key (CMK) is returned for each key alias specified in the rule settings, the list of specific KMS Customer Master Keys available in your AWS account is compliant, otherwise the list of CMKs is non-compliant.

Remediation / Resolution

To create the required Amazon KMS Customer Master Keys (CMKs), defined in the rule settings, perform the following actions:

Using AWS Console

Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Check for Existence of Specific AWS KMS CMKs rule settings and copy the name (alias) of the Customer Master Key that you want to create in your AWS account.
Sign in to AWS Management Console.
Navigate to Identity and Access Management (KMS) dashboard at https://console.aws.amazon.com/kms/.
In the left navigation panel, click Encryption Keys.
Select the appropriate AWS region from the Filter dropdown menu (must match the region where the cloud resources that will use the key are provisioned).
Click Create Key button from the dashboard top menu to start the setup process.
On Create Alias and Description page, paste the alias copied at step no. 1 into the Alias (required) box and enter a short description for the new key in the Description box. Click Next Step to continue.
On Add Tags page, create tags to manage the identity of the new KMS key (optional). Click Next Step to continue the setup process.
On Define Key Administrative Permissions page, select which IAM users and/or roles can administer the new KMS CMK, then click Next Step.
On Define Key Usage Permissions page, select which IAM users and/or roles can use the key to encrypt/decrypt data with the AWS KMS API. If you want external AWS accounts to use the key to encrypt and decrypt data, in the External Accounts section, click Add an External Account and enter the external account ID to add the AWS account that can use the CMK. The owners of the external AWS accounts must also provide access to your CMK by creating policies for their IAM users. Click Next Step to continue.
On Preview Key Policy page, review the predefined access policy then click Finish to create the new Amazon KMS Customer Master Key (CMK). Once the key is successfully created, the Key Management Service (KMS) service dashboard will display the following confirmation message: “Your master key was created successfully. Alias: <key-name>”
Repeat steps no. 6 – 11 to create other specific AWS KMS Customer Master Keys to be used in the selected region.
If required, change the AWS region from the Filter dropdown menu and repeat the process for other regions.

Using AWS CLI

Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Check for Existence of Specific AWS KMS CMKs rule settings and copy the alias (name) of the Customer Master Key (CMK) that you want to create in your AWS account.

Define the access policy that enables the specified AWS IAM users and/or roles to administer the new CMK and the selected IAM users and/or roles to encrypt/decrypt data using the Key Management Service (KMS) API. Create a new JSON document, name it cmk-access-policy.json and paste the following data (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Id": "custom-cmk-access-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}

Run create-key command (OSX/Linux/UNIX) using the policy document defined at the previous step (i.e. cmk-access-policy.json), to create the required Amazon KMS Customer Master Key (CMK) in the selected AWS region:
```
aws kms create-key
	--region us-east-1
	--description 'Specific KMS CMK for encrypting production data'
	--policy file://cmk-access-policy.json
```

The command output should return the new KMS CMK metadata:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "aabbccdd-1234-abcd-1234-aabbccdd1234",
        "Description": "Specific KMS CMK for encrypting production data",
        "KeyManager": "CUSTOMER",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 15198439962.150,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/aabbccdd-1234-abcd-1234-aabbccdd1234",
        "AWSAccountId": "123456789012"
    }
}

Run create-alias command (OSX/Linux/UNIX) using the ARN of the newly created key to attach the alias copied at step no. 1 to the new Customer Master Key. The alias must always start with the prefix, i.e. "alias/" (the command does not produce an output):
```
aws kms create-alias
	--alias-name alias/cc-highlyprotected-key
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/aabbccdd-1234-abcd-1234-aabbccdd1234
```
Repeat steps no. 2 – 5 to create other specific Amazon KMS Customer Master Keys to be used in the selected AWS region.
If required, change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

AWS Command Line Interface (CLI) Documentation
kms
list-aliases
create-key
create-alias

Publication date Mar 1, 2019

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related KMS rules