Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™

X-Ray Data Encrypted With KMS Customer Master Keys

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: XRay-001

Ensure that your AWS X-Ray trace data is encrypted with Amazon KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys used by Amazon X-Ray service when there are no customer master keys configured for traces) in order to have more control over trace data encryption/decryption process and meet compliance and/or internal requirements. AWS X-Ray is a managed service that collects data about requests that your cloud application serves, providing tools that you can use to view, filter and gain insights into your app load to identify issues and opportunities for performance optimization.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security

By default, Amazon X-Ray encrypts trace data using an AWS managed key named "aws/xray". To gain full control over your AWS X-Ray encryption key management, you need to create your own KMS Customer Master Key (CMK). Amazon KMS service allows you to easily rotate, disable and audit the CMK encryption key used for your X-Ray traces.


Audit

To determine the encryption configuration for your AWS X-Ray traces, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudWatch console at https://console.aws.amazon.com/cloudwatch/home.

  3. In the left navigation panel, choose Settings.

  4. In the X-Ray traces section, choose View settings under Encryption.

  5. On the Encryption configuration section, check the existing configuration set for X-Ray traces. If the encryption type is set to Default encryption instead of Use a KMS key, the Amazon X-Ray service encrypts trace data using an AWS managed key, created by default by Amazon Web Services within the selected region.

  6. Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

  1. Run get-encryption-config command (OSX/Linux/UNIX) using custom query filters to describe the ID of the KMS Customer Master Key (CMK) used for encryption (if applicable):

    aws xray get-encryption-config
    --region us-east-1
    --query 'EncryptionConfig.KeyId'
    
  2. The command output should return the requested KMS key ID or null if there is no CMK used to encrypt X-Ray trace data in the selected AWS region:

    null
    

    If get-encryption-config command output returns null, as shown in the example above, Amazon X-Ray is not using a KMS Customer Master Key (CMK) to encrypt trace data within the selected region, instead the service is using the default managed key for encryption.

  3. Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To configure AWS X-Ray to encrypt traces and related data at rest with your own AWS KMS Customer Master Key (CMK), perform the following:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms/home#/kms/keys.

  3. To change the AWS region, use the region selector in the upper-right corner of the page (must match the region where your X-Ray service is being configured).

  4. In the left navigation panel, choose Customer managed keys.

  5. Choose Create key.

  6. For Key type, choose Symmetric. In Key usage, the Encrypt and decrypt option is selected by default. Choose Next.

  7. In the Alias field, enter a unique name (alias) for the new KMS key (e.g., xray-trace-data-cmk). Optionally, enter a description for the key. Choose Next.

  8. Under Key Administrators section, select the IAM users and/or roles that can administer the new KMS key. Choose Next.

  9. Under Key Users section, select the IAM users and/or roles that can use the new KMS key to encrypt/decrypt the trace data with the AWS KMS API.

  10. (Optional) Under Other AWS accounts section, choose Add another AWS account and enter an external account ID in order to add another AWS account that can use this KMS key to encrypt/decrypt the X-Ray trace data. The owners of the external AWS accounts must also provide access to this KMS key by creating appropriate policies for their IAM users.

  11. Choose Next.

  12. Review the key policy and key settings, then choose Finish to create your new KMS key.

  13. Once your KMS key is created, navigate to Amazon CloudWatch console at https://console.aws.amazon.com/cloudwatch/home.

  14. In the left navigation panel, choose Settings.

  15. In the X-Ray traces section, choose View settings under Encryption.

  16. In the Encryption configuration section, choose Edit, then perform the following actions:

    1. Choose Use a KMS key and select the alias (name) of the KMS key created earlier from the dropdown list.

    2. Choose Update encryption to apply the encryption configuration changes.

  17. Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

  1. Before you create your AWS KMS Customer Master Key (CMK), you must define a policy that enables the selected IAM users and/or roles to administer the new CMK and to encrypt/decrypt X-Ray trace data using the KMS API. Create a new policy document, name it xray-kms-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

    {
        "Version": "2012-10-17",
        "Id": "aws-xray-cmk-policy",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:root"
                },
                "Action": "kms:*",
                "Resource": "*"
            },
            {
                "Sid": "Allow access for Key Administrators",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:role/cc-xray-manager"
                },
                "Action": [
                    "kms:Create*",
                    "kms:Describe*",
                    "kms:Enable*",
                    "kms:List*",
                    "kms:Put*",
                    "kms:Update*",
                    "kms:Revoke*",
                    "kms:Disable*",
                    "kms:Get*",
                    "kms:Delete*",
                    "kms:TagResource",
                    "kms:UntagResource",
                    "kms:ScheduleKeyDeletion",
                    "kms:CancelKeyDeletion"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow use of the key",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:user/cc-xray-admin"
                },
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow attachment of persistent resources",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::123456789012:user/cc-xray-admin"
                },
                "Action": [
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant"
                ],
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "kms:GrantIsForAWSResource": "true"
                    }
                }
            }
        ]
    }
    
  2. Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. xray-kms-cmk-policy.json) as required command parameter to create the new KMS key:

    aws kms create-key
    --region us-east-1
    --description 'AWS KMS CMK to encrypt X-Ray trace data'
    --policy file://xray-kms-cmk-policy.json
    
  3. The command output should return the new KMS key metadata. Copy the KMS key ARN as this identifier will be required later when you need to specify the key required for trace data encryption:

    {
        "KeyMetadata": {
            "Origin": "AWS_KMS",
            "KeyId": "aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
            "Description": "AWS KMS CMK to encrypt X-Ray trace data",
            "KeyManager": "CUSTOMER",
            "Enabled": true,
            "KeySpec": "SYMMETRIC_DEFAULT",
            "KeyUsage": "ENCRYPT_DECRYPT",
            "KeyState": "Enabled",
            "CreationDate": 1517235833.150,
            "Arn": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
            "AWSAccountId": "123456789012",
            "MultiRegion": false
        }
    }
    
  4. Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step as the value for the "--target-key-id" parameter, to attach an alias to the new KMS key. The alias must start with the prefix "alias/" (the command does not produce an output):

    aws kms create-alias
    --region us-east-1
    --alias-name alias/xray-trace-data-cmk
    --target-key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
    
  5. Run put-encryption-config command (OSX/Linux/UNIX) using the ARN of the Customer Master Key (CMK) created earlier as command parameter, to update the encryption configuration for Amazon X-Ray service within the selected AWS region:

    aws xray put-encryption-config
    --region us-east-1
    --type KMS
    --key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
    
  6. The command output should return the encryption configuration metadata for AWS X-Ray:

    {
        "EncryptionConfig": {
            "Status": "UPDATING",
            "KeyId": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
            "Type": "KMS"
        }
    }
    
  7. Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Oct 29, 2018