App-Tier KMS Customer Master Key (CMK) In Use

01 Sign in to your Cloud Conformity console, access App Tier Customer Master Key In Use conformity rule settings and check the tag set defined for AWS resources within your app stack (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Log in to the AWS Management Console.

03 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

04 In the left navigation panel, click Encryption Keys.

05 Select the appropriate AWS region from the Filter menu (must match the region where the AWS app tier resources have been provisioned). If there are no Customer Master Keys provisioned in the selected AWS region, there is no KMS Customer Master Key created for your app tier and the audit process stops here. If the KMS dashboard lists one or more CMKs, continue with the next step.

06 Click on the alias (link) of the KMS CMK that you want to examine.

07 On the key configuration details page, inside the Tags section, search for the tag set identified at step no. 1, e.g. <app_tier_tag>:<app_tier_tag_value>. If the key tag set does not match the one defined in your Cloud Conformity account or the key does not have any tags at all, the selected KMS CMK has a different scope, therefore there is no KMS Customer Master Key created for the selected app tier within your AWS account. To have full control over app data encryption, create your own app-tier CMK.

08 Repeat step no. 6 and 7 to verify other KMS CMKs available in the selected AWS region.

09 Repeat steps no. 1 – 8 to search for KMS Customer Master Keys created for other app tiers provisioned within your AWS account.

01 Sign in to your Cloud Conformity console, access App Tier Customer Master Key In Use conformity rule settings and check the tags defined for AWS resources within your app stack (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run list-aliases command (OSX/Linux/UNIX) using the AWS region where the app tier resources have been provisioned and custom query filters to list the IDs of all AWS KMS keys available in the selected region:

aws kms list-keys
	--region us-east-1
	--output table
	--query 'Keys[*].KeyId'

03 The command output should return a table with the requested identifiers:

------------------------------------------
|                ListKeys                |
+----------------------------------------+
|  abcd1234-aaaa-bbbb-cccc-123456789012  |
|  1234abcd-bbbb-cccc-dddd-123456789012  |
+----------------------------------------+

04 Run list-resource-tags command (OSX/Linux/UNIX) using the ID of the key that you want to examine as identifier and custom query filters to describe the tags defined for the selected AWS KMS key (if there are any):

aws kms list-resource-tags
	--region us-east-1
	--key-id abcd1234-aaaa-bbbb-cccc-123456789012
	--query 'Tags'

05 The command request should return one of the following outputs:

1. If the list-resource-tags command output returns an empty array (i.e. []), as shown in the example below, there are no tags defined for the selected Amazon KMS key, therefore the selected key is not a app-tier KMS Customer Master Key (CMK).
   []
   

2. If the command output returns a tag set, as shown in the example below, but the key tags does not match the ones defined in the conformity rule settings, the selected key is not a app-tier KMS CMK, therefore there is no Amazon KMS Customer Master Key created for the selected app tier within your AWS account.
   [
       {
           "TagKey": "Role",
           "TagValue": "WebBased"
       }
   ]
   

06 Repeat step no. 4 and 5 to verify other KMS CMKs available in the selected AWS region.

07 Repeat steps no. 1 – 6 to search for KMS Customer Master Keys created for other app tiers provisioned in your AWS account.

01 Sign in to your Cloud Conformity console, access App Tier Customer Master Key In Use conformity rule settings and copy the tag set defined for your app tier resources (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Log in to the AWS Management Console.

03 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

04 In the left navigation panel, click Encryption Keys.

05 Select the appropriate AWS region from the Filter menu (must match the region where the AWS app tier resources have been provisioned).

06 Click Create Key button from the dashboard top menu to start the setup process.

07 On Create Alias and Description page, type a name (alias) into the Alias (required) box and enter a short description in the Description box. Click Next Step to continue.

08 On Add Tags page, create tags to manage the identity of the new KMS key (i.e. app-tier encryption key). Use the following format when you define your own tag set: <app_tier_tag>:<app_tier_tag_value> and make sure the tag name (<app_tier_tag>) and the tag value (<app_tier_tag_value>) match the tag set used to organize your app-tier resources. Click Next Step to continue the setup process.

09 On Define Key Administrative Permissions page, select which IAM users and/or roles can administer the new CMK, then click Next Step.

10 On Define Key Usage Permissions page, select which IAM users and/or roles can use the key to encrypt/decrypt data with the AWS KMS API. (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK for encryption. The owners of the external AWS accounts must also provide access to this CMK by creating policies for their IAM users. Click Next Step to continue.

11 On Preview Key Policy page, review the predefined access policy then click Finish to create your own app-tier Customer Master Key (CMK). Once the key is created, the KMS service dashboard will display the following confirmation message: “Your master key was created successfully. Alias: <app_tier_tag_value>”

12 Repeat steps no. 1 – 11 to create new dedicated AWS KMS Customer Master Keys to be used with other app stacks available in your AWS account.

01 Sign in to your Cloud Conformity console, access App Tier Customer Master Key In Use rule settings and copy the tags defined for your AWS app tier resources.

02 Create a new access policy that enables the specified AWS IAM users and/or roles to administer the new CMK and the selected IAM users and/or roles to encrypt/decrypt data using the KMS API. Create a new policy document named app-tier-cmk-policy.json and paste the following data (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Id": "kms-cmk-access-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}

03 Run create-key command (OSX/Linux/UNIX) using the AWS region where the app stack resources have been provisioned (for example us-east-1) and the policy document defined at the previous step (i.e. app-tier-cmk-policy.json) to create the AWS KMS Customer Master Key (CMK) that will help you encrypt data-at-rest within the selected AWS app tier:

aws kms create-key
	--region us-east-1
	--description 'KMS CMK to encrypt app tier data'
	--policy file://app-tier-cmk-policy.json

04 The command output should return the new CMK metadata:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "abcd1234-cccc-dddd-eeee-123456789012",
        "Description": "KMS CMK to encrypt app tier data",
        "KeyManager": "CUSTOMER",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1519842985.128,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-cccc-dddd-eeee-123456789012",
        "AWSAccountId": "123456789012"
    }
}

05 Run create-alias command (OSX/Linux/UNIX) using the ARN of the newly created key to attach an alias (name) to the KMS Customer Master Key. The alias must always start with the prefix, i.e. "alias/" (the command does not return an output):

aws kms create-alias
	--alias-name alias/app-tier-cmk
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-cccc-dddd-eeee-123456789012

06 Run tag-resource command (OSX/Linux/UNIX) using the ID of the newly created AWS KMS CMK as identifier to create tags for managing the identity of the new key (i.e. app-tier encryption key). Use the following format when you define your own tag set: <app_tier_tag>:<app_tier_tag_value> and make sure the tag name and value match the tag set used to organize your app-tier resources. Replace <app_tier_tag> and <app_tier_tag_value> (highlighted) with your own values (the command does not return an output):

aws kms tag-resource
	--region us-east-1
	--key-id abcd1234-cccc-dddd-eeee-123456789012
	--tags TagKey="<app_tier_tag>",TagValue="<app_tier_tag_value>"

07 Repeat steps no. 1 – 6 to create new dedicated AWS KMS Customer Master Keys to be used with other app tiers provisioned in your AWS account.