Open menu
-->

Use KMS Customer Master Keys for AWS Backup

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that your Amazon Backup vaults are using AWS KMS Customer Master Keys instead of AWS managed-keys (i.e. default encryption keys) for encrypting your backup data in order to have a fine-grained control over data-at-rest encryption/decryption process and meet compliance requirements. Amazon Backup is a fully managed service that creates, restores and deletes backups on your behalf. A backup vault is a container used to organize AWS backups. You can use backup vaults to set the AWS KMS encryption key that is used to encrypt your backups and to control access to your backups. The KMS encryption key that is configured for a backup vault applies only to the backups created for certain resource types such as Amazon EFS file systems. This adds another layer of protection for your backups. The backups taken for all other resource types are configured using the key that is used to encrypt the source resource.

This rule resolution is part of the Cloud Conformity Tool

When you use your own AWS KMS Customer Master Keys (CMKs) to protect the backups created with Amazon Backup service, you have full control over who can use the encryption keys to access your backups. Amazon Key Management Service (KMS) service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS Backup data.

Audit

To determine the encryption configuration of your Amazon Backup vaults, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Backup service dashboard at https://console.aws.amazon.com/backup/.

03 In the left navigation panel, under Dashboard, choose Backup vaults.

04 Select the non-default backup vault that you want to examine, then click on its name to access the resource configuration details. The default vault, named "Default", is automatically created for you by AWS Backup service. This is configured to use the AWS managed-key (i.e. aws/backup) for data encryption and it cannot be modified or deleted.

05 On the selected vault configuration page, inside the Summary section, note the KMS encryption master key ARN attribute value.

06 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

07 In the left navigation panel, click Encryption Keys.

08 Select the appropriate AWS region from the Filter menu (must match the region where your backup vault was created).

09 Choose the KMS key with the alias set to aws/backup, then click on its name link to access the key details.

10 On the selected KMS key configuration page, under Summary, check the key Amazon Resource Name (ARN) listed as value for the ARN attribute. If the aws/backup key ARN and the ARN identified at step no. 5 match, the selected Amazon Backup vault is encrypting backup data using the default master key (AWS-managed key) instead of a customer-managed CMK.

11 Repeat steps no. 4 – 10 to determine the encryption configuration for other AWS Backup vaults available in the current region.

12 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-backup-vault command (OSX/Linux/UNIX) to list the names of all non-default backup vaults available in the selected AWS region:

aws backup list-backup-vaults
    --region us-east-1
    --output table
    --query 'BackupVaultList[?(BackupVaultName!=`Default`)].BackupVaultName'

02 The command output should return a table with the non-default vault names. The default vault, automatically created for you by Amazon Backup, cannot be modified or deleted, and it is configured to use only the AWS managed-key (i.e. aws/backup) for data encryption, hence this is not included in the list returned below:

--------------------------
|    ListBackupVaults    |
+------------------------+
|  cc-prod-backup-vault  |
|  cc-app-backup-vault   |
+------------------------+ 

03 Run describe-backup-vault command (OSX/Linux/UNIX) using the name of the vault that you want to examine as identifier and custom query filters to return the ARN of the encryption key configured for the selected backup vault:

aws backup describe-backup-vault
    --region us-east-1
    --backup-vault-name cc-prod-backup-vault
    --query 'EncryptionKeyArn'

04 The command output should return the requested Amazon Resource Name (ARN):

"arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc"

05 Run describe-key command (OSX/Linux/UNIX) using the AWS KMS key ARN returned at the previous step as identifier and custom query filters to expose the name of the manager (either "AWS" or "CUSTOMER") for the encryption key used:

aws aws kms describe-key
    --region us-east-1
    --key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc
    --query 'KeyMetadata.KeyManager'

06 The command output should return the selected AWS KMS key manager name:

"AWS"

If the value returned by the describe-key command output is "AWS", the encryption key manager is Amazon Web Services and not the AWS customer, therefore the selected Amazon Backup vault is encrypting backup data using the default master key (i.e. aws/backup key) instead of a customer-managed Customer Master Key (CMK).

07 Repeat steps no. 3 – 6 to determine the encryption configuration for other AWS Backup vaults available in the selected region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire process for other regions.

Remediation / Resolution

To encrypt your backup data using your own AWS KMS Customer Master Keys, you have to re-create the non-compliant AWS Backup vaults with the required encryption configuration. To re-create your backup vaults and enable data-at-rest encryption using your own KMS CMKs, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your non-compliant backup vault is available).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt your backup data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt your backups. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: "Your master key was created successfully. Alias: <cmk-alias>".

12 Once the KMS CMK has been created, navigate to AWS Backup service dashboard at https://console.aws.amazon.com/backup/.

13 In the left navigation panel, choose Backup vaults.

14 Click Create Backup vault button from the dashboard top menu to initiate the vault setup process.

15 On the Create Backup vault page, perform the following:

  1. Provide a unique name for your new vault in the Backup vault name box.
  2. Select the ID of the newly created Customer Master Key (CMK) from the KMS encryption master key dropdown list.
  3. (Optional) Within Backup vault tags section, configure the required tags for the new resource.
  4. Click Create Backup vault to create your new backup vault.

16 In the navigation panel select Backup plans.

17 Choose the backup plan associated with the non-compliant backup vault, then click on its name (link) to access the resource configuration.

18 In the Backup rules section, select the rule associated with the non-compliant backup vault and click Edit.

19 On Edit Backup rule: <rule-name> configuration page, select the backup vault created earlier in the process from the Backup vault dropdown list, then click Save to apply the changes. The future backups taken using the selected backup plan will be encrypted with your own AWS KMS CMK configured for the newly created backup vault.

20 Repeat step no. 14 – 19 to configure encryption at rest using KMS Customer Master Keys for other Amazon Backup vaults (and their associated plans) available in the current region.

21 Change the AWS region from the navigation bar to repeat the entire remediation/resolution process for the other regions.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your non-compliant backup vault is available).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt your backup data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt your backups. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: "Your master key was created successfully. Alias: <cmk-alias>".

12 Once the KMS CMK has been created, navigate to AWS Backup service dashboard at https://console.aws.amazon.com/backup/.

13 In the left navigation panel, choose Backup vaults.

14 Click Create Backup vault button from the dashboard top menu to initiate the vault setup process.

15 On the Create Backup vault page, perform the following:

  1. Provide a unique name for your new vault in the Backup vault name box.
  2. Select the ID of the newly created Customer Master Key (CMK) from the KMS encryption master key dropdown list.
  3. (Optional) Within Backup vault tags section, configure the required tags for the new resource.
  4. Click Create Backup vault to create your new backup vault.

16 In the navigation panel select Backup plans.

17 Choose the backup plan associated with the non-compliant backup vault, then click on its name (link) to access the resource configuration.

18 In the Backup rules section, select the rule associated with the non-compliant backup vault and click Edit.

19 On Edit Backup rule: <rule-name> configuration page, select the backup vault created earlier in the process from the Backup vault dropdown list, then click Save to apply the changes. The future backups taken using the selected backup plan will be encrypted with your own AWS KMS CMK configured for the newly created backup vault.

20 Repeat step no. 14 – 19 to configure encryption at rest using KMS Customer Master Keys for other Amazon Backup vaults (and their associated plans) available in the current region.

21 Change the AWS region from the navigation bar to repeat the entire remediation/resolution process for the other regions.

Using AWS CLI

01 Define the access policy that enables your selected IAM users and/or roles to manage the new KMS Customer Master Key and to encrypt/decrypt backup data using the AWS KMS API. Create a new policy document, name it backup-kms-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": "backup-custom-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonBackupManager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/BackupAdmin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/BackupAdmin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. backup-kms-cmk-policy.json) as command parameter to create the new AWS KMS CMK:

aws kms create-key
    --region us-east-1
    --description 'KMS CMK for encrypting AWS backups.'
    --policy file://backup-kms-cmk-policy.json

03 The command output should return the new KMS CMK metadata. Copy the key Amazon Resource Name (Arn parameter value - highlighted) as this information will be required later when you have to specify the key required for backup data encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
        "Description": "KMS CMK for encrypting AWS backups.",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517236997.130,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
    --region us-east-1
    --alias-name alias/BackupCustomCMK
    --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-abcd-abcd-abcd-abcdabcdabcd

05 Run create-backup-vault command (OSX/Linux/UNIX) using the ARN of the newly created AWS KMS Customer Master Key as command parameter to create a new and compliant backup vault:

aws backup create-backup-vault
    --region us-east-1
    --backup-vault-name cc-prod-backup-vault
    --encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/abcdabcd-abcd-abcd-abcd-abcdabcdabcd

06 The command output should return the new backup vault metadata:

{
    "BackupVaultArn": "arn:aws:backup:us-east-1:123456789012:backup-vault:cc-new-backup-vault",
    "CreationDate": 1548693779.212,
    "BackupVaultName": "cc-new-backup-vault"
}

07 To associate the new backup vault with the existing backup plan, you have to reconfigure the backup plan. To reconfigure your backup plan, define first the backup plan parameters. Modify the following JSON document according to your existing backup plan configuration, then save it to a file named "backup-plan-config.json" (replace "TargetBackupVaultName" parameter value with the name of your new backup vault):

{
  "BackupPlanName": "cc-prod-backup-plan",
  "Rules": [
    {
      "RuleName": "DailyBackups",
      "TargetBackupVaultName": "cc-new-backup-vault",
      "ScheduleExpression": "cron(0 5 ? * * *)",
      "StartWindowMinutes": 480,
      "CompletionWindowMinutes": 10080,
      "Lifecycle": {
        "MoveToColdStorageAfterDays": 30
      }
    }
  ]
}

08 Run update-backup-plan command (OSX/Linux/UNIX) using the configuration parameters defined at the previous step to update the specified backup plan configuration in order to associate it with the compliant backup vault created earlier in the process. Any future backups taken using the selected backup plan will be encrypted using your new AWS KMS Customer Master Key (CMK):

aws backup update-backup-plan
    --region us-east-1
    --backup-plan-id abcd1234-abcd-1234-abcd-1234abcd1234
    --backup-plan file://backup-plan-config.json

09 The command output should return the command request metadata:

{
    "BackupPlanArn": "arn:aws:backup:us-east-1:123456789012:backup-plan:abcd1234-abcd-1234-abcd-1234abcd1234",
    "VersionId": "aaaaaabbbbbbccccccaaaaaabbbbbbccccccaaaaaabbbbbb",
    "CreationDate": 1548694636.533,
    "BackupPlanId": "abcd1234-abcd-1234-abcd-1234abcd1234"
}

10 Repeat steps no. 5 – 9 to configure encryption at rest using KMS Customer Master Keys for other Amazon Backup vaults (and their associated plans) available in the selected region.

11 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 10 to perform the entire process for other regions.

References

Publication date Feb 10, 2019