Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Database-Tier KMS Customer Master Key (CMK) In Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (not acceptable risk))
Rule ID: KMS-011

Ensure there is one Amazon KMS Customer Master Key (CMK) created in your AWS account for the database tier in order to protect data-at-rest available within your AWS web stack, have full control over encryption/decryption process, and meet security and compliance requirements. The AWS resources provisioned in your database tier should have a tag set such as <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> is the tag name and <data_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the database-tier tags must be configured within the rule settings, on your Cloud Conformity dashboard.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you use your own AWS KMS Customer Master Key (CMK) to protect your database-tier data, you gain full control over who can use this key to access the data, implementing the principle of least privilege on encryption key ownership and usage. The KMS service allows you to easily rotate, audit and disable the encryption key created for your database tier.

Note: Make sure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the database tier.


Audit

To determine if a database-tier KMS Customer Master Key was created within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Database Tier Customer Master Key In Use rule settings and check the tag set defined for AWS resources within your database tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

04 In the left navigation panel, click Encryption Keys.

05 Select the appropriate AWS region from the Filter menu (must match the region where the AWS database-tier resources have been provisioned). If there are no Customer Master Keys provisioned in the selected AWS region, there is no KMS Customer Master Key created for your database tier and the audit process stops here. If the KMS dashboard lists one or more CMKs, continue the audit with the next step.

06 Click on the alias (link) of the KMS CMK that you want to examine.

07 On the key configuration details page, inside the Tags section, search for the tag set identified at step no. 1, e.g. <data_tier_tag>:<data_tier_tag_value>. If the key tag set does not match the one defined in your Cloud Conformity account or the key does not have any tags at all, the selected KMS CMK has a different scope, therefore there is no KMS Customer Master Key created for the selected database tier within your AWS account. To have full control over database encryption, create your own database-tier CMK.

08 Repeat step no. 6 and 7 to verify other KMS CMKs available in the selected AWS region.

09 Repeat steps no. 1 – 8 to search for KMS Customer Master Keys created for other database tiers available within your AWS account.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Database Tier Customer Master Key In Use conformity rule settings and check the tags defined for AWS resources within your database tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Run list-aliases command (OSX/Linux/UNIX) using the AWS region where the database-tier resources have been provisioned and custom query filters to list the IDs of all AWS KMS keys available in the selected region:

aws kms list-keys
	--region us-east-1
	--output table
	--query 'Keys[*].KeyId'

03 The command output should return a table with the requested identifiers:

------------------------------------------
|                ListKeys                |
+----------------------------------------+
|  1234abcd-aaaa-bbbb-cccc-123456789012  |
|  abcd1234-bbbb-cccc-dddd-123456789012  |
+----------------------------------------+

04 Run list-resource-tags command (OSX/Linux/UNIX) using the ID of the key that you want to examine as identifier and custom query filters to describe the tags defined for the selected AWS KMS key (if any):

aws kms list-resource-tags
	--region us-east-1
	--key-id 1234abcd-aaaa-bbbb-cccc-123456789012
	--query 'Tags'
}

05 The command request should return one of the following outputs:

  1. If the list-resource-tags command output returns an empty array (i.e. []), as shown in the example below, there are no tags defined for the selected Amazon KMS key, therefore the selected key is not a database-tier KMS Customer Master Key (CMK).
    []
    
  2. If the command output returns a tag set, as shown in the example below, but the key tags does not match the ones defined in the conformity rule settings, the selected key is not a database-tier KMS CMK, therefore there is no Amazon KMS Customer Master Key created for the selected database tier within your AWS account.
    [
        {
            "TagKey": "Owner",
            "TagValue": "EC2Manager"
        }
    ]
    

06 Repeat step no. 4 and 5 to verify other KMS CMKs available in the selected AWS region.

07 Repeat steps no. 1 – 6 to search for KMS Customer Master Keys created for other database tiers provisioned in your AWS account.

Remediation / Resolution

To create a dedicated AWS KMS Customer Master Key (CMK) to be used by AWS resources within your database tier, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Database Tier Customer Master Key In Use conformity rule settings and copy the tag set defined for your database-tier resources (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

04 In the left navigation panel, click Encryption Keys.

05 Select the appropriate AWS region from the Filter menu (must match the region where the AWS database-tier resources have been provisioned).

06 Click Create Key button from the dashboard top menu to start the setup process.

07 On Create Alias and Description page, type a name (alias) into the Alias (required) box and enter a short description in the Description box. Click Next Step to continue.

08 On Add Tags page, create tags to manage the identity of the new KMS key (i.e. database-tier encryption key). Use the following format when you define your own tag set: <data_tier_tag>:<data_tier_tag_value> and make sure the tag name (<data_tier_tag>) and the tag value (<data_tier_tag_value>) match the tag set used to organize your database-tier resources. Click Next Step to continue the setup process.

09 On Define Key Administrative Permissions page, select which IAM users and/or roles can administer the new CMK, then click Next Step.

10 On Define Key Usage Permissions page, select which IAM users and/or roles can use the key to encrypt/decrypt data with the AWS KMS API. (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK for encryption. The owners of the external AWS accounts must also provide access to this CMK by creating policies for their IAM users. Click Next Step to continue.

11 On Preview Key Policy page, review the predefined access policy then click Finish to create your own database-tier Customer Master Key (CMK). Once the key is successfully created, the KMS service dashboard will display the following confirmation message: “Your master key was created successfully. Alias: <data_tier_tag_value>”

12 Repeat steps no. 1 – 11 to create new dedicated AWS KMS Customer Master Keys to be used by other database-tier resources available in your AWS account.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Database Tier Customer Master Key In Use rule settings and copy the tags defined for your AWS database-tier resources.

02 Create a new access policy that enables the specified AWS IAM users and/or roles to administer the new CMK and the selected IAM users and/or roles to encrypt/decrypt data using the KMS API. Create a new policy document named database-tier-cmk-policy.json and paste the following data (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Id": "kms-cmk-access-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}

03 Run create-key command (OSX/Linux/UNIX) using the AWS region where the database-tier resources have been provisioned (for example us-east-1) and the policy document defined at the previous step (i.e. database-tier-cmk-policy.json) to create the AWS KMS Customer Master Key (CMK) that will help you encrypt data within the selected AWS database tier:

aws kms create-key
	--region us-east-1
	--description 'KMS CMK to encrypt database tier data'
	--policy file://database-tier-cmk-policy.json

04 The command output should return the new CMK metadata:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "1234abcd-cccc-dddd-eeee-123456789012",
        "Description": "KMS CMK to encrypt database tier data",
        "KeyManager": "CUSTOMER",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1519843062.520,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-cccc-dddd-eeee-123456789012",
        "AWSAccountId": "123456789012"
    }
}

05 Run create-alias command (OSX/Linux/UNIX) using the ARN of the newly created key to attach an alias (display name) to the KMS Customer Master Key. The alias must always start with the prefix, i.e. "alias/" (the command does not produce an output):

aws kms create-alias
	--alias-name alias/database-tier-cmk
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-cccc-dddd-eeee-123456789012

06 Run tag-resource command (OSX/Linux/UNIX) using the ID of the newly created AWS KMS CMK as identifier to create tags for managing the identity of the new key (i.e. database-tier encryption key). Use the following format when you define your own tag set: <data_tier_tag>:<data_tier_tag_value> and make sure the tag name and value match the tag set used to organize your database-tier resources. Replace <data_tier_tag> and <data_tier_tag_value> (highlighted) with your own values (the command does not produce an output):

aws kms tag-resource
	--region us-east-1
	--key-id 1234abcd-cccc-dddd-eeee-123456789012
	--tags TagKey="<data_tier_tag>",TagValue="<data_tier_tag_value>"

07 Repeat steps no. 1 – 6 to create new dedicated AWS KMS Customer Master Keys to be used by other database-tier resources provisioned in your AWS account.

References

Publication date Apr 16, 2016