Web-Tier KMS Customer Master Key (CMK) In Use

01 Sign in to your Cloud Conformity console, access Web Tier Customer Master Key In Use conformity rule settings and check the tag set defined for AWS resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

04 In the left navigation panel, click Encryption Keys.

05 Select the appropriate AWS region from the Filter menu (must match the region where the AWS web tier resources have been provisioned). If there are no CMKs provisioned in the selected region, there is no KMS Customer Master Key created for your web tier and the audit process stops here. If the KMS dashboard lists one or more CMKs, continue with the next step.

06 Click on the alias (link) of the KMS CMK that you want to examine.

07 On the key configuration details page, inside the Tags section, search for the tag set identified at step no. 1, e.g. <web_tier_tag>:<web_tier_tag_value>. If the key tag set does not match the one defined in your Cloud Conformity account or the key does not have any tags at all, the selected KMS CMK has a different purpose, therefore there is no Amazon KMS Customer Master Key created for the selected web tier within your AWS account. To have full control over web data encryption, create your own web-tier CMK (see Remediation/Resolution section).

08 Repeat step no. 6 and 7 to verify other KMS CMKs available in the selected AWS region.

09 Repeat steps no. 1 – 8 to search for KMS Customer Master Keys created for other web tiers provisioned within your AWS account.

01 Sign in to your Cloud Conformity console, access Web Tier Customer Master Key In Use conformity rule settings and check the tag set defined for AWS resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

aws ec2 describe-volumes
	--volume-ids vol-f7f65326

02 Run list-aliases command (OSX/Linux/UNIX) using the AWS region where the web tier resources have been provisioned (for example us-east-1) and custom query filters to list the IDs of all AWS KMS keys available in the selected region:

aws kms list-keys
	--region us-east-1
	--output table
	--query 'Keys[*].KeyId'

03 The command output should return a table with the requested identifiers (IDs):

------------------------------------------
|                ListKeys                |
+----------------------------------------+
|  aaaabbbb-aaaa-bbbb-cccc-123456789012  |
|  bbbbcccc-bbbb-cccc-dddd-123456789012  |
|  ccccdddd-cccc-dddd-eeee-123456789012  |
+----------------------------------------+

04 Run list-resource-tags command (OSX/Linux/UNIX) using the ID of the key that you want to examine as identifier, returned at the previous step, and custom query filters to describe the tags defined for the selected AWS KMS key (if any):

aws kms list-resource-tags
	--region us-east-1
	--key-id aaaabbbb-aaaa-bbbb-cccc-123456789012
	--query 'Tags'

05 The command request should return one of the following outputs:

1. If the list-resource-tags command output returns an empty array (i.e. []), as shown in the example below, there are no tags defined for the selected AWS KMS key, therefore the selected key is not a web-tier KMS Customer Master Key (CMK).
   []
   

2. If the command output returns a tag set, as shown in the example below, but the key tag set does not match the one defined in your Cloud Conformity account, the selected key is not a web-tier KMS CMK, therefore there is no Amazon KMS Customer Master Key created for the selected web tier within your AWS account.
   [
       {
           "TagKey": "Env",
           "TagValue": "Development"
       }
   ]
   

06 Repeat step no. 4 and 5 to verify other KMS CMKs available in the selected AWS region.

07 Repeat steps no. 1 – 6 to search for KMS Customer Master Keys created for other web tiers provisioned within your AWS account.

01 Sign in to your Cloud Conformity console, access Web Tier Customer Master Key In Use conformity rule settings and copy the tag set defined for your web tier resources (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

04 In the left navigation panel, click Encryption Keys.

05 Select the appropriate AWS region from the Filter menu (must match the region where the AWS web tier resources have been provisioned).

06 Click Create Key button from the dashboard top menu to initiate the setup process.

07 On Create Alias and Description page, type the key name into the Alias (required) box and enter a short description in the Description box. Click Next Step to continue.

08 On Add Tags page, create tags to organize the identity of the new key (i.e. web-tier encryption key). Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and make sure the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier resources. Click Next Step to continue the setup process.

09 On Define Key Administrative Permissions page, select which IAM users and/or roles can administer the new CMK, then click Next Step.

10 On Define Key Usage Permissions page, select which IAM users and/or roles can use the key to encrypt/decrypt data with the AWS KMS API. (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt data. The owners of the external AWS accounts must also provide access to this CMK by creating policies for their IAM users. Click Next Step to continue.

11 On Preview Key Policy page, review the predefined access policy then click Finish to create your own web-tier Customer Master Key (CMK). Once the key is successfully created, the KMS service dashboard will display the following confirmation message: “Your master key was created successfully. Alias: <web_tier_tag_value>”

12 Repeat steps no. 1 – 11 to create new dedicated AWS KMS Customer Master Keys to be used with other web tiers provisioned in your AWS account.

01 Sign in to your Cloud Conformity console, access Web Tier Customer Master Key In Use conformity rule settings and copy the tag set defined for your AWS web tier resources.

02 Create a new access policy that enables the specified IAM users and/or roles to administer the new CMK and the selected IAM users and/or roles to encrypt/decrypt data using the KMS API. Create a new policy document named web-tier-cmk-policy.json and paste the following data (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Id": "kms-cmk-access-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}

03 Run create-key command (OSX/Linux/UNIX) using the AWS region where the web tier resources have been provisioned (in this case, us-east-1) and the policy document defined at the previous step (i.e. web-tier-cmk-policy.json) to create the AWS KMS Customer Master Key (CMK) that will help you encrypt data-at-rest within the selected AWS web tier:

aws kms create-key
	--region us-east-1
	--description 'KMS CMK to encrypt web tier data'
	--policy file://web-tier-cmk-policy.json

04 The command output should return the new CMK metadata:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "aaaabbbb-cccc-dddd-eeee-123456789012",
        "Description": "KMS CMK to encrypt web tier data",
        "KeyManager": "CUSTOMER",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1519842163.976,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-123456789012",
        "AWSAccountId": "123456789012"
    }
}

05 Run create-alias command (OSX/Linux/UNIX) using the ARN of the newly created key to attach an alias (also known as display name) to the KMS Customer Master Key. The alias must always start with the prefix, i.e. "alias/" (the command does not produce an output):

aws kms create-alias
	--alias-name alias/web-tier-cmk
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-123456789012

06 Run tag-resource command (OSX/Linux/UNIX) using the ID of the newly created AWS KMS CMK as identifier to create tags for managing the identity of the new key (i.e. web-tier encryption key). Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and make sure the tag name and value match the tag set used to organize your web-tier resources. Replace <web_tier_tag> and <web_tier_tag_value> (highlighted) with your own values (the command does not produce an output):

aws kms tag-resource
	--region us-east-1
	--key-id aaaabbbb-cccc-dddd-eeee-123456789012
	--tags TagKey="<web_tier_tag>",TagValue="<web_tier_tag_value>"

07 Repeat steps no. 1 – 6 to create new dedicated AWS KMS Customer Master Keys to be used with other web tiers provisioned in your AWS account.