Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

KMS Cross Account Access

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: KMS-006

Ensure that your customer-managed Customer Master Keys (CMKs) are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross-account access. Before this rule runs, the list with the trusted AWS account identifiers (IDs and/or ARNs) must be configured in the rule settings, on your TrendAI Vision One™ Cloud Risk Management Dashboard.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security

You can allow IAM identities in a different AWS account to use the Customer Master Keys available within your cloud account. Allowing untrustworthy cross-account access to your Amazon KMS Customer Master Keys (CMKs) via key policies will enable foreign AWS accounts to gain control over who can use the keys and access the data encrypted with these keys. To prevent data leaks and data loss, you must grant access only to trusted accounts by implementing secure access policies.

Audit

To determine if your customer-managed Customer Master Keys (CMKs) allow unauthorized cross-account access, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

  3. In the navigation panel, under Key Management Service (KMS), choose Customer managed keys.

  4. Click on the name (alias) of the customer-managed Customer Master Key (CMK) that you want to examine.

  5. Select the Key policy tab from the console bottom panel to view the access policy defined for the selected key.

  6. In the Other AWS accounts section, identify the AWS account identifiers (IDs/ARNs) configured for cross-account access.

  7. Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Customer Master Key Cross-Account Access rule settings, and compare the IDs/ARNs identified at the previous step against each AWS account ID/ARN defined in the rule**configuration section. If one or more IDs/ARNs are not included in the list of trusted AWS identities defined in the rule settings, the cross-account access configuration available for the selected Amazon KMS Customer Master Key (CMK) is not secured.

  8. Repeat steps no. 4 – 7 for each Customer Master Key (CMK) available within the current AWS region.

  9. Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

  1. Run list-keys command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon KMS Customer Master Key (CMK) available in the selected AWS region:

    aws kms list-keys
  --region us-east-1
  --output table
  --query 'Keys[*].KeyId'

  2. The command output should return a table with the requested CMK ID(s):

    ------------------------------------------
|                ListKeys                |
+----------------------------------------+
|  aaaabbbb-aaaa-bbbb-cccc-123456789012  |
|  bbbbcccc-bbbb-cccc-dddd-123456789012  |
|  aaaadddd-cccc-dddd-aaaa-123456789012  |
+----------------------------------------+

  3. Run get-key-policy command (OSX/Linux/UNIX) using the ID of the Customer Master Key (CMK) that you want to examine as the identifier parameter and custom query filters to describe the access policy defined for the selected KMS key:

    aws kms get-key-policy
  --region us-east-1
  --key-id aaaabbbb-aaaa-bbbb-cccc-123456789012
  --policy-name default
  --output text
  --query 'Policy'

  4. The command output should return the requested key policy in JSON format:

    {
	"Id": "key-consolepolicy-5",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:user/kms-admin"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"arn:aws:iam::123456789012:user/ec2-manager",
					"arn:aws:iam::123412341234:root"
				]
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"arn:aws:iam::123456789012:user/ec2-manager",
					"arn:aws:iam::123412341234:root"
				]
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*",
		}
	]
}

    Check the key policy returned by the get-key-policy command output and identify the AWS account identifiers (IDs/ARNs) configured for cross-account access, defined as value(s) for the "Principal" element (highlighted).

  5. Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Customer Master Key Cross-Account Access rule settings, and compare the IDs/ARNs identified at the previous step against each AWS account ID/ARN defined in the rule**configuration section. If one or more IDs/ARNs are not included in the list of trusted AWS identities defined in the rule settings, the cross-account access configuration available for the selected Amazon KMS Customer Master Key (CMK) is not secured.

  6. Repeat steps no. 3 – 5 for each Customer Master Key available in the selected AWS region.

  7. Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update your Customer Master Key (CMK) policy in order to allow cross-account access from trusted AWS accounts only, perform the following actions:

Using AWS CloudFormation

  1. CloudFormation template (JSON):

    {
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"KMSKEY": {
			"Type": "AWS::KMS::Key",
			"Properties": {
				"Enabled": true,
				"KeySpec": "SYMMETRIC_DEFAULT",
				"KeyUsage": "ENCRYPT_DECRYPT",
				"Description": "Cross-Account Amazon KMS Customer Master Key",
				"KeyPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Sid": "Enable IAM User Permissions",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123123123123:root"
								"AWS": "arn:aws:iam::123456789012:root"
							},
							"Action": "kms:*",
							"Resource": "*"
						},
						{
							"Sid": "Allow access for Key Administrators",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
							},
							"Action": [
								"kms:Create*",
								"kms:Describe*",
								"kms:Enable*",
								"kms:List*",
								"kms:Put*",
								"kms:Update*",
								"kms:Revoke*",
								"kms:Disable*",
								"kms:Get*",
								"kms:Delete*",
								"kms:TagResource",
								"kms:UntagResource",
								"kms:ScheduleKeyDeletion",
								"kms:CancelKeyDeletion"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow use of the key",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:Encrypt",
								"kms:Decrypt",
								"kms:ReEncrypt*",
								"kms:GenerateDataKey*",
								"kms:DescribeKey"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow attachment of persistent resources",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:CreateGrant",
								"kms:ListGrants",
								"kms:RevokeGrant"
							],
							"Resource": "*"
						}
					]
				}
			}
		},
		"KMSKEYAlias": {
			"Type": "AWS::KMS::Alias",
			"Properties": {
				"AliasName": "alias/CrossAccountKMSKey",
				"TargetKeyId": {
					"Ref": "KMSKEY"
				}
			}
		}
	}
}

  2. CloudFormation template (YAML):

    AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	KMSKEY:
		Type: AWS::KMS::Key
		Properties:
		Enabled: true
		KeySpec: SYMMETRIC_DEFAULT
		KeyUsage: ENCRYPT_DECRYPT
		Description: Cross-Account Amazon KMS Customer Master Key
		KeyPolicy:
			Version: '2012-10-17'
			Statement:
			- Sid: Enable IAM User Permissions
				Effect: Allow
				Principal:
					AWS: arn:aws:iam::123123123123:root
					AWS: arn:aws:iam::123456789012:root
				Action: kms:*
				Resource: '*'
			- Sid: Allow access for Key Administrators
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:user/kms-key-admin
				Action:
				- kms:Create*
				- kms:Describe*
				- kms:Enable*
				- kms:List*
				- kms:Put*
				- kms:Update*
				- kms:Revoke*
				- kms:Disable*
				- kms:Get*
				- kms:Delete*
				- kms:TagResource
				- kms:UntagResource
				- kms:ScheduleKeyDeletion
				- kms:CancelKeyDeletion
				Resource: '*'
			- Sid: Allow use of the key
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:Encrypt
				- kms:Decrypt
				- kms:ReEncrypt*
				- kms:GenerateDataKey*
				- kms:DescribeKey
				Resource: '*'
			- Sid: Allow attachment of persistent resources
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:CreateGrant
				- kms:ListGrants
				- kms:RevokeGrant
				Resource: '*'
	KMSKEYAlias:
		Type: AWS::KMS::Alias
		Properties:
		AliasName: alias/CrossAccountKMSKey
		TargetKeyId: !Ref 'KMSKEY'

Using Terraform (AWS Provider)

  1. Terraform configuration file (.tf):

    terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_kms_key" "kms-key" {
	is_enabled               = true
	customer_master_key_spec = "SYMMETRIC_DEFAULT"
	key_usage                = "ENCRYPT_DECRYPT"
	description              = "Cross-Account Amazon KMS Customer Master Key"

	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "Enable IAM User Permissions",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123123123123:root"
					"AWS": "arn:aws:iam::123456789012:root"
				},
				"Action": "kms:*",
				"Resource": "*"
			},
			{
				"Sid": "Allow access for Key Administrators",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
				},
				"Action": [
					"kms:Create*",
					"kms:Describe*",
					"kms:Enable*",
					"kms:List*",
					"kms:Put*",
					"kms:Update*",
					"kms:Revoke*",
					"kms:Disable*",
					"kms:Get*",
					"kms:Delete*",
					"kms:TagResource",
					"kms:UntagResource",
					"kms:ScheduleKeyDeletion",
					"kms:CancelKeyDeletion"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow use of the key",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:Encrypt",
					"kms:Decrypt",
					"kms:ReEncrypt*",
					"kms:GenerateDataKey*",
					"kms:DescribeKey"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow attachment of persistent resources",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:CreateGrant",
					"kms:ListGrants",
					"kms:RevokeGrant"
				],
				"Resource": "*"
			}
		]
	}
	EOF
}

resource "aws_kms_alias" "kms-key-alias" {
	target_key_id = aws_kms_key.kms-key.key_id
	name          = "alias/CrossAccountKMSKey"
}

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

  3. In the navigation panel, under Key Management Service (KMS), choose Customer managed keys.

  4. Click on the name (alias) of the customer-managed Customer Master Key (CMK) that you want to reconfigure.

  5. Select the Key policy tab from the console bottom panel to view the access policy defined for the selected key.

  6. In the Other AWS accounts section, choose Add other AWS accounts to specify the AWS accounts that can use the selected key.

  7. Inside the Other AWS accounts configuration box, choose Remove to delete each unauthorized (untrusted) AWS account from the key policy, and choose Add other AWS account to add the trusted AWS account(s) that can use the selected key, defined in the rule settings, on your TrendAI Vision One™ Cloud Risk Management Dashboard. Choose Save changes to apply the policy changes.

  8. Repeat steps no. 4 – 7 for each Customer Master Key (CMK) that you want to reconfigure, available within the current AWS region.

  9. Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

  1. Edit your Customer Master Key access policy and replace the untrusted AWS accounts with the trusted ones, defined in the rule settings, in your Cloud Risk Management Dashboard. Save the updated policy document to a JSON file named cmk-cross-account-access-policy.json. The following example contains a key policy that allows another (trusted) AWS account, identified by the ARN "arn:aws:iam::111222333444:root" (highlighted), to use the selected master key:

    {
	"Id": "key-consolepolicy-5",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:user/kms-admin"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"arn:aws:iam::123456789012:user/ec2-manager",
					"arn:aws:iam::111222333444:root"
				]
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"arn:aws:iam::123456789012:user/ec2-manager",
					"arn:aws:iam::111222333444:root"
				]
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*",
		}
	]
}

  2. Run put-key-policy command (OSX/Linux/UNIX) using the ID of the Customer Master Key (CMK) that you want to reconfigure as the identifier parameter, to replace the existing key policy with the one redefined at the previous step, i.e. cmk-cross-account-access-policy.json (the command does not produce an output):

    aws kms put-key-policy
  --region us-east-1
  --key-id aaaabbbb-aaaa-bbbb-cccc-123456789012
  --policy-name default
  --policy file://cmk-cross-account-access-policy.json

  3. Repeat steps no. 1 and 2 for each Amazon KMS Customer Master Key (CMK) that you want to reconfigure, available in the selected AWS region.

  4. Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Dec 23, 2016

Related KMS rules