Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use KMS Customer Master Keys for AWS Storage Gateway File Shares

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: StorageGateway-001

Ensure that Amazon Storage Gateway service is using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys) for file share data encryption, in order to have a fine-grained control over data-at-rest encryption/decryption process and meet compliance requirements. An AWS Storage Gateway file share is a file system mount point backed by Amazon S3 cloud storage.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

- By default, AWS Storage Gateway service uses Amazon S3-Managed Encryption Keys (SSE-S3) to encrypt all data it stores in Amazon S3. Now you have the option to configure your file gateways to encrypt data stored in S3 using AWS Key Management Service (KMS). When you use your own AWS KMS Customer Master Keys (CMKs) to protect your file share data at rest, you have full control over who can use the encryption keys to access it. Amazon Key Management Service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS Storage Gateway file share data.

Audit

To determine the encryption configuration for your AWS Storage Gateway file shares, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Storage Gateway service dashboard at https://console.aws.amazon.com/storagegateway/.

03 In the left navigation panel, under Gateways, choose File shares to access the file shares created for your existing file gateway.

04 Select the file share that you want to examine then choose the Details tab.

05 On the Details panel, check Encryption configuration attribute value. If the attribute value is set to S3-Managed Keys (SSE-S3), the selected Amazon Storage Gateway file share resource is encrypting its data using the default master key (AWS-managed key) instead of a customer-managed KMS CMK.

06 Repeat step no. 4 and 5 to determine the encryption configuration for other file share resources available in the current region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-file-shares command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of the AWS Storage Gateway file shares available in the selected region: 

aws storagegateway list-file-shares
    --region us-east-1
    --query 'FileShareInfoList[*].FileShareARN'

02 The command output should return an array with the requested file share ARNs: 

[
    "arn:aws:storagegateway:us-east-1:123456789012:share/share-abcd1234",
    "arn:aws:storagegateway:us-east-1:123456789012:share/share-1234aabb"
]

03 Run describe-nfs-file-shares command (OSX/Linux/UNIX) using the ARN of the file share that you want to examine as identifier and custom query filters to return the encryption configuration status for the selected Amazon Storage Gateway file share: 

aws storagegateway describe-nfs-file-shares
    --region us-east-1
    --file-share-arn-list arn:aws:storagegateway:us-east-1:123456789012:share/share-abcd1234
    --query 'NFSFileShareInfoList[*].KMSEncrypted'

04 The command output should return true if the file share is configured to use a customer-managed KMS CMK for encryption, or false if the resource is configured to use a key managed by S3: 

[
    false
]

If the value returned by the describe-nfs-file-shares command output is false, as shown in the example above, the selected Amazon Storage Gateway file share resource is encrypting data at rest, within Amazon S3, using the default master key (AWS-managed key) instead of a customer-managed KMS CMK.

05 Repeat step no. 3 and 4 to determine the encryption configuration for other file share resources available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.

Remediation / Resolution

To encrypt your AWS Storage Gateway file share data using your own AWS KMS Customer Master Keys, perform the following actions:

Note: Updating the encryption configuration for existing Amazon Storage Gateway file shares using the AWS Management Console is not currently supported.

Using AWS CLI

01 Define the access policy that enables the specified IAM users and/or roles to manage the new KMS Customer Master Key and to encrypt/decrypt file share data using the AWS KMS API. Create a new policy document, name it file-share-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details): 

{
  "Version": "2012-10-17",
  "Id": "file-share-custom-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/FileShareManager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/FileShareAdmin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/FileShareAdmin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. file-share-cmk-policy.json) as command parameter to create the new AWS KMS CMK: 

aws kms create-key
    --region us-east-1
    --description 'KMS CMK for encrypting file share data.'
    --policy file://file-share-cmk-policy.json

03 The command output should return the new KMS CMK metadata. Copy the key Amazon Resource Name (Arn parameter value - highlighted) as this information will be required later when you have to specify the key required for file share data encryption: 

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "abcdabcd-1234-1234-1234-abcdabcdabcd",
        "Description": "KMS CMK for encrypting file share data.",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517237255.250,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output): 

aws kms create-alias
    --region us-east-1
    --alias-name alias/FileShareCustomCMK
    --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd

05 Run update-nfs-file-share command (OSX/Linux/UNIX) to update the encryption configuration for the selected Amazon Storage Gateway file share (see Audit section part I to identify the right resource), in order to use the newly created AWS KMS Customer Master Key for file share data encryption at rest: 

aws storagegateway update-nfs-file-share
    --region us-east-1
    --file-share-arn arn:aws:storagegateway:us-east-1:123456789012:share/share-abcd1234
    --kms-encrypted
    --kms-key arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcdabcdabcd

06 The command output should return the ARN of the reconfigured AWS Storage Gateway file share: 

{
  "FileShareARN": "arn:aws:storagegateway:us-east-1:123456789012:share/share-abcd1234"
}

07 Repeat step no. 5 and 6 to configure encryption at rest using KMS Customer Master Keys for other Amazon Storage Gateway file share resources available in the selected region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire process for other regions.

References

Publication date Feb 18, 2019

Related StorageGateway rules