Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Customer Master Keys for EBS Default Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your new Amazon EBS volumes (and copies of their snapshots) are always encrypted with customer-managed Customer Master Keys (CMKs) in order to have complete control over data encryption/decryption process and meet security and compliance requirements. A Customer Master Key (CMK) is managed by Amazon Key Management Service (KMS) and represents a logical representation of a symmetric master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The Customer Master Key also contains the key material used to encrypt and decrypt data.

Security

When Encryption by Default feature is enabled, all new Amazon EBS volumes and copies of snapshots created in the specified region(s), are encrypted by default using an AWS-managed key (default master key that protects EBS data when no other key is defined). This meets general security requirements as it protects your data at rest. However, if you have strict compliance requirements for data encryption or your applications store and process sensitive or confidential data, you may need to create your own master key. With Amazon KMS, you can choose to create and use your own Customer Master Key in order to encrypt your data at rest. This gives you the ability to support PCI-DSS compliance requirements for separate authentication of the storage and cryptography, KMS-based control of your key material, and allows you to audit the encryption and decryption process of your Amazon EBS volume data.

Note: This conformity rule assumes that Encryption by Default is already enabled within your AWS account attributes settings.


Audit

To determine the type of the default encryption key configured for your new Amazon EBS volumes, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 Select the AWS cloud region that you want to access from the console navigation bar.

04 In the Account attributes section, under Settings, choose EBS encryption to access the EBS configuration settings available for the EBS volumes within the selected AWS region.

05 On the Settings page, select the EBS encryption tab, and copy the Amazon Resource Name (ARN) of the Default encryption key used to encrypt your new Amazon EBS volumes within the current AWS region.

06 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

07 In the navigation panel, choose AWS managed keys, paste the encryption key ARN copied at step no. 5 in the filter box, and press Enter. If an AWS-managed key (i.e. aws/ebs key) is returned as result, the Encryption by Default feature is using an AWS-managed key instead of a customer-managed Customer Master Key (CMK) to encrypt your new Amazon EBS volumes within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the audit process for other AWS regions.

Using AWS CLI

01 Run get-ebs-default-kms-key-id command (OSX/Linux/UNIX) using custom query filters to get the Amazon Resource Name (ARN) of the default encryption key used to encrypt your new Amazon EBS volumes by default in the selected AWS region:

aws ec2 get-ebs-default-kms-key-id
  --region us-east-1
  --query 'KmsKeyId'

02 The command output should the requested resource Amazon Resource Name (ARN):

"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"

03 Run describe-key command (OSX/Linux/UNIX) using the ARN of the default encryption key returned at the previous step as identifier parameter and custom query filters to describe manager of the specified key:

aws kms describe-key
  --region us-east-1
  --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
  --query 'KeyMetadata.KeyManager'

04 The command output should the encryption key manager ("AWS" if the default key is AWS-managed and "CUSTOMER" if the key is customer-managed):

"AWS"

If the describe-key command output returns "AWS", as shown in the example above, the Encryption by Default feature is using an AWS-managed key instead of a customer-managed Customer Master Key (CMK) to encrypt your new Amazon EBS volumes in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the entire audit process for other AWS regions.

Remediation / Resolution

To enable encryption by default for your new Amazon EBS volumes using customer-managed Customer Master Keys (CMKs), perform the following actions:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0" 
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_kms_key" "kms-key" {
	is_enabled               = true
	customer_master_key_spec = "SYMMETRIC_DEFAULT"
	key_usage                = "ENCRYPT_DECRYPT"
	description              = "KMS Customer Master Key (CMK)"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "Enable IAM User Permissions",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:root"
				},
				"Action": "kms:*",
				"Resource": "*"
			},
			{
				"Sid": "Allow access for Key Administrators",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
				},
				"Action": [
					"kms:Create*",
					"kms:Describe*",
					"kms:Enable*",
					"kms:List*",
					"kms:Put*",
					"kms:Update*",
					"kms:Revoke*",
					"kms:Disable*",
					"kms:Get*",
					"kms:Delete*",
					"kms:TagResource",
					"kms:UntagResource",
					"kms:ScheduleKeyDeletion",
					"kms:CancelKeyDeletion"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow use of the key",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:Encrypt",
					"kms:Decrypt",
					"kms:ReEncrypt*",
					"kms:GenerateDataKey*",
					"kms:DescribeKey"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow attachment of persistent resources",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:CreateGrant",
					"kms:ListGrants",
					"kms:RevokeGrant"
				],
				"Resource": "*"
			}
		]
	}
	EOF
}

resource "aws_kms_alias" "kms-key-alias" {
	target_key_id = aws_kms_key.kms-key.key_id
	name          = "alias/CustomKMSKey"
}

resource "aws_ebs_encryption_by_default" "default-ebs-volume-encryption" {
	enabled = true
}

resource "aws_ebs_default_kms_key" "ebs-default-kms-key" {
	key_arn = aws_kms_key.kms-key.arn
}

Using AWS Console

01 Sign in to AWS Management Console.

02 To create your customer-managed Customer Master Key (CMK), navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Customer managed keys.

04 Select the appropriate AWS region from the navigation bar (must match the region where the Encryption by Default feature is reconfigured).

05 Click Create Key button from the dashboard top menu to initiate the setup process.

06 For Step 1 Configure key, choose Symmetric from the Key type section, and select KMS for the Key material origin, available under Advanced options. Click Next to continue.

07 For Step 2 Add labels, provide a unique name (alias) and a short description for your new KMS CMK, then use the Add tag button to create any required tag sets (optional). Click Next to continue the setup process.

08 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS console. Click Next to continue.

09 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key (CMK) for cryptographic operations. (Optional) In the Other AWS accounts section, click Add another AWS account and enter an external account ID in order to specify another AWS account that can use this KMS CMK to encrypt your Amazon EBS volumes. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Click Next to continue the process.

10 For Step 5 Review and edit key policy, review the key policy, then click Finish to create your new KMS Customer Master Key (CMK). Once the key is successfully created, the KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

11 Click on the alias of the newly created Amazon KMS Customer Master Key and copy the key ARN, listed in the General configuration section.

12 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

13 Select the AWS cloud region that you want to access from the console navigation bar.

14 In the Account attributes section, under Settings, choose EBS encryption to access the EBS configuration settings available for the EBS volumes in the selected AWS region.

15 On the Settings page, select the EBS encryption tab, and click on the Manage button to modify the Encryption by Default feature settings.

16 On the Modify EBS encryption page, make sure that Enable checkbox is selected under Always encrypt new EBS volumes and replace the encryption key ARN available inside the Default encryption key configuration box with the Customer Master Key ARN copied at step no 11. Choose Update EBS encryption to save the configuration changes. After you reconfigure the Encryption by Default feature, the new Amazon EBS volumes that you create are always encrypted with the customer-managed Customer Master Key (CMK) that you have specified.

17 Change the AWS cloud region from the console navigation bar and repeat the remediation/resolution process for other AWS regions.

Using AWS CLI

01 Define the policy that enables the selected IAM users and/or roles to manage the new Customer Master Key (CMK), and to encrypt/decrypt your Amazon EBS volumes using the AWS KMS API. Create a new policy document (JSON format), name the file ebs-default-encryption-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own cloud environment details):

{
	"Id": "ecr-image-cmk-policy",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:role/AmazonEBSManager"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:role/AmazonEBSAdmin"
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:role/AmazonEBSAdmin"
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": "true"
				}
			}
		}
	]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. ebs-default-encryption-cmk-policy.json) as value for the --policy parameter, to create your new customer-managed Customer Master Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'Amazon KMS CMK for encrypting EBS volumes'
  --policy file://ebs-default-encryption-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new AWS KMS Customer Master Key:

"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/EBSDefaultEncryptionCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd

05 Run modify-ebs-default-kms-key-id command (OSX/Linux/UNIX) to reconfigure the Encryption by Default feature in order to use the customer-managed Customer Master Key (CMK) created earlier in the process to encrypt the Amazon EBS volumes that will be created in the selected AWS region:

aws ec2 modify-ebs-default-kms-key-id
  --region us-east-1
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd

06 The command output should return the ARN of the implemented KMS Customer Master Key:

{
	"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
}

07 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other AWS regions.

References

Publication date Oct 18, 2023