Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Key Exposed

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act immediately)
Rule ID: KMS-005

Identify any publicly accessible customer-managed Customer Master Keys (CMKs) and update their access policy in order to stop any unsigned requests made to these keys.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When the "Principal" element value is set to "*" (i.e. everyone) within the CMK policy and there is no "Condition" clause defined, anyone can access the specified key. One common scenario is when the Amazon KMS administrator grants access for everyone to use the key but forgets adding the "Condition" clause to the key policy in order to filter the access to certain (trusted) entities only. Allowing unrestricted access to your customer-managed Customer Master Keys (CMKs) is considered a bad practice and can lead to data breaches, data leaks, and hacks.


Audit

To determine if your customer-managed Customer Master Keys (CMKs) are exposed to everyone, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the navigation panel, under Key Management Service (KMS), choose Customer managed keys.

04 Click on the name (alias) of the customer-managed Customer Master Key (CMK) that you want to examine.

05 Select the Key policy tab from the console bottom panel and choose Switch to policy viewto view the key policy in JSON format.

06 In the Key policy section, verify the set of permissions configured for the selected Customer Master Key. If the "Principal" element value is set to "*" or { "AWS": "*" }, the "Effect" value is set to "Allow", and the key policy is not using any "Condition" clauses to filter the access, the selected Amazon KMS Customer Master Key (CMK) is fully exposed.

07 Repeat steps no. 4 – 6 for each Customer Master Key (CMK) available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon KMS Customer Master Key (CMK) available in the selected AWS region:

aws kms list-keys
  --region us-east-1
  --output table
  --query 'Keys[*].KeyId'

02 The command output should return a table with the requested CMK ID(s):

------------------------------------------
|                ListKeys                |
+----------------------------------------+
|  aaaabbbb-aaaa-bbbb-cccc-123456789012  |
|  bbbbcccc-bbbb-cccc-dddd-123456789012  |
|  aaaadddd-cccc-dddd-aaaa-123456789012  |
|  ddddaaaa-bbbb-cccc-dddd-123456789012  |
+----------------------------------------+

03 Run get-key-policy command (OSX/Linux/UNIX) using the ID of the Customer Master Key (CMK) that you want to examine as the identifier parameter and custom query filters to describe the access policy defined for the selected KMS key:

aws kms get-key-policy
  --region us-east-1
  --key-id aaaabbbb-aaaa-bbbb-cccc-123456789012
  --policy-name default
  --output text
  --query 'Policy'

04 The command output should return the requested key policy in JSON format:

{
	"Id": "key-consolepolicy-3",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "*"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:user/key-admin"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"arn:aws:iam::123456789012:user/resource-manager"
				]
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"arn:aws:iam::123456789012:user/resource-manager"
				]
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*"
		}
	]
}

If the "Principal" element value is set to "*" or { "AWS": "*" }, the "Effect" value is set to "Allow", and the key policy is not using any "Condition" clauses to filter the key access, the selected Amazon KMS Customer Master Key (CMK) is fully exposed.

05 Repeat steps no. 3 and 4 for each Customer Master Key available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To restrict access for your exposed customer-managed Customer Master Keys (CMKs), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"KMSKEY": {
			"Type": "AWS::KMS::Key",
			"Properties": {
				"Enabled": true,
				"KeySpec": "SYMMETRIC_DEFAULT",
				"KeyUsage": "ENCRYPT_DECRYPT",
				"Description": "Symmetric Amazon KMS Customer Master Key",
				"KeyPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Sid": "Enable IAM User Permissions",
							"Effect": "Allow",
							"Principal": {
-                               "AWS": "*"
+                               "AWS": "arn:aws:iam::123456789012:root"
							},
							"Action": "kms:*",
							"Resource": "*"
						},
						{
							"Sid": "Allow access for Key Administrators",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
							},
							"Action": [
								"kms:Create*",
								"kms:Describe*",
								"kms:Enable*",
								"kms:List*",
								"kms:Put*",
								"kms:Update*",
								"kms:Revoke*",
								"kms:Disable*",
								"kms:Get*",
								"kms:Delete*",
								"kms:TagResource",
								"kms:UntagResource",
								"kms:ScheduleKeyDeletion",
								"kms:CancelKeyDeletion"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow use of the key",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:Encrypt",
								"kms:Decrypt",
								"kms:ReEncrypt*",
								"kms:GenerateDataKey*",
								"kms:DescribeKey"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow attachment of persistent resources",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:CreateGrant",
								"kms:ListGrants",
								"kms:RevokeGrant"
							],
							"Resource": "*"
						}
					]
				}
			}
		},
		"KMSKEYAlias": {
			"Type": "AWS::KMS::Alias",
			"Properties": {
				"AliasName": "alias/ProductionKey",
				"TargetKeyId": {
					"Ref": "KMSKEY"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	KMSKEY:
		Type: AWS::KMS::Key
		Properties:
		Enabled: true
		KeySpec: SYMMETRIC_DEFAULT
		KeyUsage: ENCRYPT_DECRYPT
		Description: Symmetric Amazon KMS Customer Master Key
		KeyPolicy:
			Version: '2012-10-17'
			Statement:
			- Sid: Enable IAM User Permissions
				Effect: Allow
				Principal:
					AWS: '*'
					AWS: arn:aws:iam::123456789012:root
				Action: kms:*
				Resource: '*'
			- Sid: Allow access for Key Administrators
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:user/kms-key-admin
				Action:
				- kms:Create*
				- kms:Describe*
				- kms:Enable*
				- kms:List*
				- kms:Put*
				- kms:Update*
				- kms:Revoke*
				- kms:Disable*
				- kms:Get*
				- kms:Delete*
				- kms:TagResource
				- kms:UntagResource
				- kms:ScheduleKeyDeletion
				- kms:CancelKeyDeletion
				Resource: '*'
			- Sid: Allow use of the key
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:Encrypt
				- kms:Decrypt
				- kms:ReEncrypt*
				- kms:GenerateDataKey*
				- kms:DescribeKey
				Resource: '*'
			- Sid: Allow attachment of persistent resources
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:CreateGrant
				- kms:ListGrants
				- kms:RevokeGrant
				Resource: '*'
	KMSKEYAlias:
		Type: AWS::KMS::Alias
		Properties:
		AliasName: alias/ProductionKey
		TargetKeyId: !Ref 'KMSKEY'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
	  aws = {
		source  = "hashicorp/aws"
		version = "~> 4.0"
	  }
	}

	required_version = ">= 0.14.9"
  }

  provider "aws" {
	profile = "default"
	region  = "us-east-1"
  }
  resource "aws_kms_key" "kms-key" {
	is_enabled               = true
	customer_master_key_spec = "SYMMETRIC_DEFAULT"
	key_usage                = "ENCRYPT_DECRYPT"
	description              = "Symmetric Amazon KMS Customer Master Key"

	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "Enable IAM User Permissions",
				"Effect": "Allow",
				"Principal": {
					"AWS": "*"
					"AWS": "arn:aws:iam::123456789012:root"
				},
				"Action": "kms:*",
				"Resource": "*"
			},
			{
				"Sid": "Allow access for Key Administrators",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
				},
				"Action": [
					"kms:Create*",
					"kms:Describe*",
					"kms:Enable*",
					"kms:List*",
					"kms:Put*",
					"kms:Update*",
					"kms:Revoke*",
					"kms:Disable*",
					"kms:Get*",
					"kms:Delete*",
					"kms:TagResource",
					"kms:UntagResource",
					"kms:ScheduleKeyDeletion",
					"kms:CancelKeyDeletion"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow use of the key",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:Encrypt",
					"kms:Decrypt",
					"kms:ReEncrypt*",
					"kms:GenerateDataKey*",
					"kms:DescribeKey"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow attachment of persistent resources",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:CreateGrant",
					"kms:ListGrants",
					"kms:RevokeGrant"
				],
				"Resource": "*"
			}
		]
	}
	EOF
  }

  resource "aws_kms_alias" "kms-key-alias" {
	target_key_id = aws_kms_key.kms-key.key_id
	name          = "alias/ProductionKey"
  }

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the navigation panel, under Key Management Service (KMS), choose Customer managed keys.

04 Click on the name (alias) of the exposed Customer Master Key (CMK) that you want to reconfigure.

05 Select the Key policy tab from the console bottom panel, choose Switch to policy view,**and choose Edit**.

06 On the Edit key policy page, perform one of the following actions:

  1. Replace the "Everyone" grantee (i.e. '*' or { "AWS": "*" }) from the "Principal" element value with an AWS account ID (e.g. 123456789012) or an AWS account ARN (e.g. arn:aws:iam::123456789012:root). Choose Save changes to apply the policy changes.
  2. Add a "Condition" clause to the appropriate policy statement to filter the key access to specific, trusted entities only, i.e. "Condition': { "StringEquals": { "kms:CallerAccount": "<trusted-account-id>" } }. Choose Save changes to apply the changes.

07 Repeat steps no. 4 – 6 for each Amazon KMS Customer Master Key (CMK) that you want to reconfigure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Edit your Customer Master Key (CMK) policy and restrict access to specific, trusted entities only. Save the updated policy document to a JSON file named cmk-authorized-access-policy.json. You can use one of the following options:

  1. Replace the "Everyone" grantee (i.e. '*' or { "AWS": "*" }) from the "Principal" element value with an AWS account ID (e.g. 123456789012) or an AWS account ARN (e.g. arn:aws:iam::123456789012:root):
  2. Add a "Condition" clause to the appropriate policy statement to filter the key access to specific, trusted entities only, i.e. "Condition': { "StringEquals": { "kms:CallerAccount": "<trusted-account-id>" } }, where "<trusted-account-id>" is the account ID of the trusted AWS account that can access the key, as shown in the example below:
    {
    	"Id": "key-consolepolicy-3",
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Sid": "Enable IAM User Permissions",
    			"Effect": "Allow",
    			"Principal": {
    				"AWS": "*"
    			},
    			"Action": "kms:*",
    			"Condition": {
    			"StringEquals": {
    				"kms:CallerAccount": "" 
    			}
    		},
    			"Resource": "*"
    		},
    		{
    			"Sid": "Allow access for Key Administrators",
    			"Effect": "Allow",
    			"Principal": {
    				"AWS": "arn:aws:iam::123456789012:user/key-admin"
    			},
    			"Action": [
    				"kms:Create*",
    				"kms:Describe*",
    				"kms:Enable*",
    				"kms:List*",
    				"kms:Put*",
    				"kms:Update*",
    				"kms:Revoke*",
    				"kms:Disable*",
    				"kms:Get*",
    				"kms:Delete*",
    				"kms:TagResource",
    				"kms:UntagResource",
    				"kms:ScheduleKeyDeletion",
    				"kms:CancelKeyDeletion"
    			],
    			"Resource": "*"
    		},
    		{
    			"Sid": "Allow use of the key",
    			"Effect": "Allow",
    			"Principal": {
    				"AWS": [
    					"arn:aws:iam::123456789012:user/resource-manager"
    				]
    			},
    			"Action": [
    				"kms:Encrypt",
    				"kms:Decrypt",
    				"kms:ReEncrypt*",
    				"kms:GenerateDataKey*",
    				"kms:DescribeKey"
    			],
    			"Resource": "*"
    		},
    		{
    			"Sid": "Allow attachment of persistent resources",
    			"Effect": "Allow",
    			"Principal": {
    				"AWS": [
    					"arn:aws:iam::123456789012:user/resource-manager"
    				]
    			},
    			"Action": [
    				"kms:CreateGrant",
    				"kms:ListGrants",
    				"kms:RevokeGrant"
    			],
    			"Resource": "*"
    		}
    	]
    }
    

02 Run put-key-policy command (OSX/Linux/UNIX) using the ID of the exposed Customer Master Key (CMK) that you want to reconfigure as the identifier parameter, to replace the existing key policy with the one defined at the previous step, i.e. cmk-authorized-access-policy.json (the command does not produce an output):

aws kms put-key-policy
  --region us-east-1
  --key-id aaaabbbb-aaaa-bbbb-cccc-123456789012
  --policy-name default
  --policy file://cmk-authorized-access-policy.json

03 Repeat steps no. 1 and 2 for each Amazon KMS Customer Master Key (CMK) that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Dec 23, 2016