Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Data Encryption with KMS Customer Master Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: AppFlow-001

Ensure that your Amazon AppFlow flows are encrypted using customer-managed Customer Master Keys (CMKs) in order to put you in full control over your encrypted data, and meet security and compliance requirements. A Customer Master Key (CMK) is managed by Amazon KMS service and represents a logical representation of a symmetric master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The KMS CMK also contains the key material used to encrypt and decrypt data.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon AppFlow is a fully managed integration service that lets you securely transfer data between Software-as-a-Service (SaaS) applications and AWS cloud services. Amazon AppFlow encrypts your access tokens, secret keys, and data at rest. The flow data is encrypted by default using an AWS-managed encryption key. This meets general security requirements as it protects your data at rest. However, if you have strict compliance requirements for data encryption or your applications store and process sensitive or confidential data, you may need to create your own master key. With Amazon KMS, you can choose to use your own managed Customer Master Key (CMK) to encrypt your Amazon AppFlow flow data at rest.


Audit

To determine the encryption status and configuration for your Amazon AppFlow flows, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon AppFlow console at https://console.aws.amazon.com/appflow/.

03 In the navigation panel, under Amazon AppFlow, select Flows.

04 Click on the name (link) of the flow that you want to examine.

05 In the Flow details section, check the AWS KMS key attribute value to determine the type of the encryption implemented for the selected AWS resource. If the AWS KMS key attribute value is set to AWS managed key, the data managed by the selected Amazon AppFlow flow is not encrypted using a customer-managed Customer Master Key (CMK).

06 Repeat steps no. 4 and 5 to determine the encryption type and configuration for other Amazon AppFlow flows available within the current region.

07 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-flows command (OSX/Linux/UNIX) to list the names of all the Amazon AppFlow flows created in the selected AWS cloud region:

aws appflow list-flows
  --region us-east-1
  --max-results 50
  --output table
  --query "flows[*].flowName"

02 The command output should return a table with the requested identities (names):

---------------------------
|        ListFlows        |
+-------------------------+
|  cc-project5-app-flow   |
|  cc-analytics-app-flow  |
+-------------------------+

03 Run describe-flow command (OSX/Linux/UNIX) using the name of the Amazon AppFlow flow that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the KMS key used to encrypt the selected flow:

aws appflow describe-flow
  --region us-east-1
  --flow-name cc-project5-app-flow
  --query "kmsArn"

04 The command output should be the requested Amazon Resource Name (ARN):

"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"

05 Run describe-key command (OSX/Linux/UNIX) using the ARN of the KMS key returned at the previous step as the identifier parameter and custom query filters to describe manager of the specified key:

aws kms describe-key
  --region us-east-1
  --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
  --query 'KeyMetadata.KeyManager'

06 The command output should be the encryption key manager ("AWS" if the default key is AWS-managed and "CUSTOMER" if the key is customer-managed):

"AWS"

If the describe-key command output returns "AWS", as shown in the example above, the data managed by the selected Amazon AppFlow flow is not encrypted using a customer-managed Customer Master Key (CMK).

07 Repeat steps no. 3 – 6 to determine the encryption type and configuration for other Amazon AppFlow flows available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire audit process for other regions.

Remediation / Resolution

To encrypt your Amazon AppFlow flows using customer-managed Customer Master Keys (CMKs), you have to re-create your AppFlow flows with the appropriate encryption type by performing the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 To create your own KMS Customer Master Key (CMK), navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Customer managed keys.

04 Select the appropriate AWS region from the navigation bar (must match the region where your non-compliant AppFlow flow was created).

05 Click Create Key button from the dashboard top menu to initiate the setup process.

06 For Step 1 Configure key, choose Symmetric from the Key type section, and select KMS for the Key material origin, available under Advanced options. Click Next to continue.

07 For Step 2 Add labels, provide a unique name (alias) and a short description for your new KMS CMK, then use the Add tag button to create any required tag sets (optional). Click Next to continue the setup process.

08 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS console. Click Next to continue.

09 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key (CMK) for cryptographic operations.
(Optional) In the Other AWS accounts section, click Add another AWS account and enter an external account ID in order to specify another AWS account that can use this KMS CMK to encrypt and decrypt your AppFlow flows. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Click Next to continue the process.

10 For Step 5 Review and edit key policy, review the key policy, then click Finish to create your new KMS Customer Master Key (CMK). Once the key is successfully created, the KMS console will display the following confirmation message: "Success. Your customer master key was created with alias key-alias and key ID key-id".

11 Navigate to Amazon AppFlow console at https://console.aws.amazon.com/appflow/.

12 In the navigation panel, under Amazon AppFlow, select Flows.

13 Click on the name of the flow that you want to re-create (i.e. source flow) and note all the required configuration information.

14 Navigate back to the Flows page and click on the Create flow button to initiate the setup process.

15 On the Create flow page, perform the following actions, based on the configuration information collected at step no. 13 from the source flow:

  1. On the Specify flow details panel, provide the following details:
    • Provide a unique name for your new data flow in the Flow name box.
    • (Optional) Provide a short description in the Flow description box.
    • Select the Customize encryption settings (advanced) checkbox available under Data encryption to enable CMK-based encryption for the selected flow. Select the identifier (ID) of the newly created customer-managed Customer Master Key (CMK) from the Choose an AWS KMS key dropdown list. This CMK will be used for flow data encryption at rest instead of the default AWS managed key.
    • (Optional) Use the Add tag button to create key-value pairs to tag your new flow.
    • Choose Next to continue.
  2. On the Configure flow panel, configure your data source and destination, and how to trigger the flow:
    • For Source details, select the source and provide the requested information.
    • For Destination details, select the destination and provide the requested information about the location.
    • For Flow trigger, choose how to trigger the flow. You can choose between Run on demand, Run flow on schedule, and Run flow on event.
    • Choose Next to continue.
  3. On the Map data fields panel, map the fields in the source objects to fields in the destination:
    • For Mapping method, choose how to map the fields and complete the field mapping.
    • (Optional) To add a formula that concatenates fields, select two fields from the Mapped fields section and choose Add formula.
    • (Optional) To mask or truncate field values, select one or more fields from the Mapped fields and choose Modify values.
    • (Optional) For Validations, add validations to check whether a field has bad data. For each field, choose the condition that indicates bad data and what action Amazon AppFlow service should take when a field in a record is bad.
    • Choose Next to continue the setup process.
  4. On the Add filters panel, specify a filter to determine which records to transfer. Amazon AppFlow enables you to filter data fields by adding multiple filters and by adding criteria to a filter. To add a filter, choose Add filter, select the field name, choose a condition, and then specify the criteria. To remove a filter, choose Remove next to the filter. Choose Next to continue.
  5. On the Review and create panel, review the configuration information for your new flow, then choose Create flow to deploy your compliant Amazon AppFlow flow.

16 (Optional) You can delete the non-compliant (source) flow in order to stop incurring charges for it. To remove the non-compliant Amazon AppFlow flow from your AWS account, perform the following actions:

  1. Select the non-compliant AppFlow flow that you want to remove.
  2. Click on the Delete button from the console top menu to initiate the removal process.
  3. Inside the Delete flow-name confirmation box, enter delete, then choose Delete.

17 Repeat steps no. 13 – 16 for each non-compliant Amazon AppFlow flow.

18 Change the AWS cloud region from the navigation bar to repeat the remediation process for the other regions.

Using AWS CLI

01 Define the policy that enables the selected IAM users and/or roles to manage the new Customer Master Key (CMK), and to encrypt/decrypt your AppFlow flow data using the AWS KMS API. Create a new policy document (JSON format), name the file app-flow-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own cloud environment details):

{
  "Id": "ecr-image-cmk-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonAFManager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonAFAdmin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonAFAdmin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. app-flow-cmk-policy.json) as value for the --policy parameter, to create your new customer-managed Customer Master Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'Amazon KMS CMK for encrypting AppFlow data'
  --policy file://app-flow-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new AWS KMS Customer Master Key:

"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/AppFlowCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd

05 Run describe-flow command (OSX/Linux/UNIX) using the name of the Amazon AppFlow flow that you want to re-create as the identifier parameter, to describe the configuration metadata available the selected flow:

aws appflow describe-flow
  --region us-east-1
  --flow-name cc-project5-app-flow

06 The command output should be the requested configuration information:

{
  "flowArn": "arn:aws:appflow:us-east-1:123456789012:flow/cc-project5-app-flow",
  "flowName": "cc-project5-app-flow",
  "kmsArn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd",
  "flowStatus": "Active",
  "sourceFlowConfig": {
    "connectorType": "S3",
    "sourceConnectorProperties": {
      "S3": {
        "bucketName": "cc-project5-logs-bucket",
        "bucketPrefix": "logs"
      }
    }
  },

  ...

  "destinationFlowConfigList": [
    {
      "connectorType": "S3",
      "destinationConnectorProperties": {
        "S3": {
          "bucketName": "cc-project5-export-data",
          "s3OutputFormatConfig": {
            "fileType": "JSON",
            "prefixConfig": {},
            "aggregationConfig": {
              "aggregationType": "None"
            }
          }
        }
      }
    }
  ],
  "createdAt": "2021-02-02T12:00:00.000000+00:00",
  "lastUpdatedAt": "2021-02-02T12:00:00.000000+00:00",
  "createdBy": "arn:aws:iam::123456789012:root",
  "lastUpdatedBy": "arn:aws:iam::123456789012:root"
}

07 Run create-flow command (OSX/Linux/UNIX) to create a new, compliant Amazon AppFlow flow, based on the configuration information collected at step no. 6 from the source flow. Use the --kms-arn command parameter to specify your new customer-managed Customer Master Key (CMK):

aws appflow create-flow
  --region us-east-1
  --flow-name cc-project5-new-app-flow
  --kms-arn arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd
  --trigger-config triggerType=OnDemand
  --source-flow-config connectorType=S3,sourceConnectorProperties={S3={bucketName=cc-project5-logs-bucket,bucketPrefix=logs}}
  --destination-flow-config-list connectorType=S3,destinationConnectorProperties={S3={bucketName=cc-project5-export-data}}
  --tasks sourceFields=ResourceID,connectorOperator={S3=PROJECTION},destinationField=ResourceID,taskType=Map

08 The command output should return the ARN of your new Amazon AppFlow flow:

{
  "arn:aws:appflow:us-east-1:123456789012:flow/cc-project5-new-app-flow"
}

09 (Optional) Now you can delete the non-compliant flow in order to stop incurring charges for it. To remove the non-compliant Amazon AppFlow flow from your AWS cloud account, run delete-flow command (OSX/Linux/UNIX) using the name of the non-compliant (source) flow that you want to delete as the identifier parameter (the command does not produce an output):

aws appflow delete-flow
  --region us-east-1
  --flow-name cc-project5-app-flow

10 Repeat steps no. 5 – 9 for each non-compliant Amazon AppFlow flow.

11 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 10 to perform the entire remediation process for other regions.

References

Publication date Feb 6, 2021