Open menu
-->

Default AWS KMS Key Usage

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

- Ensure that KMS Customer Master Keys (CMKs) are used by your AWS services and resources instead of default KMS keys, in order to have full control over data encryption/decryption process and meet compliance requirements. A KMS default master key is used by an AWS service such as RDS, EBS, Lambda, Elastic Transcoder, Redshift, SES, SQS, CloudWatch, EFS, S3 or Workspaces when no other key is defined to encrypt a resource for that service. The default key cannot be modified to ensure its availability, durability and security. On the other side, a KMS Customer Master Key (CMK) provides the ability to create, rotate, disable, enable and audit the encryption key used to protect the data.

This rule resolution is part of the Cloud Conformity Base Auditing Package

When you use your own AWS KMS CMK instead of default KMS key to encrypt your data, you gain complete control over who can use this key to access the data, implementing the principle of least privilege on encryption key ownership and usage. An AWS service can use a KMS CMK on your behalf, but you always retain control of that key. Note: As example, this conformity rule demonstrates how Customer Master Keys (CMKs) can be used instead of AWS default master keys to encrypt Amazon EBS volumes.

Audit

To determine if the default KMS keys are used within your AWS account, perform the following actions:

Note: As alternative, to determine whether a KMS key was used in the past or not for encryption, you can examine your existing AWS CloudTrail logs. You can go into your CloudTrail Event History and check the past events to determine the usage of the default master key. You can also use Amazon Athena to query and analyze your CloudTrail logs to find out more details about your KMS keys usage.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

04 Choose an AWS region from the Filter menu.

05 Click on the alias (link) of the KMS key that you want to examine.

06 In the Summary section, check the value set for the Alias attribute. If the Alias value has the following structure aws/<service_name>, where <service_name> is the name of the AWS service that utilizes the key (e.g. EBS), the selected Amazon KMS key is a default master key.

07 To determine if the default master key identified at the previous step is currently in use, you need to check the resource(s) provisioned with the AWS service specified in the alias of the selected key. For example, if the key alias is aws/ebs, you need to check the EBS volumes available within the same AWS region as the key to determine if the default key is being used. To check the necessary AWS resources, perform the following:

  1. Select the appropriate AWS region from the navigation bar.
  2. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
  3. In the navigation panel, under Elastic Block Store, click Volumes.
  4. Paste Encrypted : Encrypted in the Filter by tags and attributes or search by keyword box and press Enter. The AWS console will return only the EBS volumes that are currently encrypted with KMS keys.
  5. Select the EBS volume that you need to examine.
  6. Select the Description tab from the bottom panel and check the KMS Key Aliases attribute value. If the KMS Key Aliases value is set to aws/ebs, the selected AWS EBS volume is using the default master key created by Amazon for the selected region. This key is implemented by default when you don't specify a KMS CMK for encryption at volume creation.

08 Repeat steps no. 5 – 7 to check other AWS services within the selected region for KMS default key usage.

09 Repeat steps no. 4 – 8 for other AWS regions.

Using AWS CLI

01 Run list-aliases command (OSX/Linux/UNIX) with custom query filters to return the aliases and the IDS of all the KMS keys available in the selected AWS region:

aws kms list-aliases
	--region us-east-1
	--query 'Aliases[*].{AliasName: AliasName, TargetKeyId: TargetKeyId}'

02 The command output should return an array with the existing alias names:

[
    {
        "TargetKeyId": "12345678-abcd-abcd-abcd-123456789012",
        "AliasName": "alias/aws/ebs"
    },
    {
        "TargetKeyId": "abcd1234-1234-1234-1234-abcdabcdabcd",
        "AliasName": "alias/aws/lambda"
    },
    {
        "TargetKeyId": "12345678-1234-1234-1234-123456789012",
        "AliasName": "alias/aws/rds"
    },
    {
        "TargetKeyId": "aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc",
        "AliasName": "alias/cc-s3-cmk"
    },
    {
        "TargetKeyId": "1234abcd-abcd-1234-abcd-abcd1234abcd",
        "AliasName": "alias/cc-kinesis-cmk"
    }
]

If one or more entries returned by the command output have the following structure alias/aws/<service_name> set for the AliasName attribute, where <service_name> is the name of the AWS service that uses the key, as shown in the example above, there are default master keys available within the selected region.

03 To determine if the default master keys identified at the previous step are currently in use, you need to check the resource(s) provisioned with the AWS service specified in the aliases of these keys. For example, if the key alias returned is aws/ebs, you have to check the EBS volumes available within the same AWS region as the key to determine if the default key is being used. To check the EBS volumes provisioned in the selected region for default master key usage, run describe-volumes command (OSX/Linux/UNIX) using custom query filters:

aws ec2 describe-volumes
	--region us-east-1
	--filters Name=encrypted,Values=true
	--query 'Volumes[*].KmsKeyId'

04 The command output should return the ARNs of the KMS keys used by the EBS volumes within the selected region:

[ "arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-abcd-abcd-123456789012",
"arn:aws:kms:us-east-1:123456789012:key/aaaaaaaa-abcd-abcd-abcd-aaaabbbbaaaa"
] 

If a highlighted KMS key ID (e.g. 12345678-abcd-abcd-abcd-123456789012) returned by the command output match one of the IDs returned as values for the TargetKeyId attribute at step no. 2, there is an AWS EBS volume that is using the default master key created by Amazon in the selected region.

Remediation / Resolution

To use your own KMS Customer Master Key (CMK) instead of the AWS default master key to encrypt an EBS volume, perform the following actions:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where the AWS resource that will use the key was created).

05 Click Create Key button from the top menu.

06 Enter an alias (name) and a description for the new CMK, then click Next Step.

07 Under Key Administrators section, select which IAM users and/or roles can administer the CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the CMK to encrypt/decrypt data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt data. The owners of the external AWS accounts must also provide access to this CMK by creating policies for their IAM users.

10 Click Next Step.

11 Under Preview Key Policy section, click Finish to create your new KMS CMK. Once the key is created, the AWS console will display a confirmation message: “Your master key was created successfully. Alias:<name>”

12 Now the CMK must be implemented to encrypt/decrypt the EBS volume data. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

13 In the navigation panel, under Elastic Block Store, click Volumes.

14 Select your encrypted AWS EBS volume.

15 Click the Actions dropdown button from the dashboard top menu and select Create Snapshot.

16 In the Create Snapshot dialog box, provide a name and a description for the snapshot (optional) and click Create.

17 In the navigation panel, under Elastic Block Store, click Snapshots.

18 Select your newly created EBS snapshot.

19 Click the Actions dropdown button from the dashboard top menu and select Copy.

20 In the Copy Snapshot dialog box, under Master Key select your new Customer Master Key (CMK) created earlier and click Copy.

21 Select the new (copied) EBS snapshot.

22 Click the Actions dropdown button from the dashboard top menu and select Create Volume.

23 In the Create Volume dialog box, review the volume configuration details and click Create.

24 Go back to the navigation panel and click Volumes.

25 Select the original EBS volume, encrypted with the default master key (see Audit section part I to identify the right resource).

26 Click the Actions dropdown button from the dashboard top menu and select Detach Volume.

27 In the Detach Volume dialog box click Yes, Detach.

28 Select the newly created EBS volume, encrypted with the new KMS CMK.

29 Click the Actions dropdown button from the top menu and select Attach Volume.

30 In the Attach Volume dialog box enter your EC2 instance ID and the device name for attachment, then click |Attach.

31 Select the Description tab from the bottom panel and make sure the newly created EBS volume is using your own AWS KMS CMK customer-managed key by checking the KMS Key Aliases attribute value.

Using AWS CLI

01 Create a policy that enables the selected IAM users and/or roles to administer the new CMK and the selected IAM users and/or roles to encrypt/decrypt data using the KMS API. Create a new policy document called ebs-volume-cmk-policy.json and paste the following (replace the highlighted details - the ARNs for the IAM users and/or roles - with your own details):

{
  "Version": "2012-10-17",
  "Id": "key-policy-5",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/EC2Manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/EC2Admin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/EC2Admin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the AWS region where the data resource is located and the policy name created earlier (ebs-volume-cmk-policy.json) to create the new KMS CMK:

aws kms create-key
	--region us-east-1
	--description 'EBS Volume Customer Master Key'
	--policy file://ebs-volume-cmk-policy.json

03 The command output should return the new key metadata:

{
    "KeyMetadata": {
        "KeyId": "1234aaaa-bbbb-cccc-dddd-abcdabcdabcd",
        "Description": "EBS Volume Customer Master Key",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1460744855.323,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/1234aaaa-bbbb-cccc-dddd-abcdabcdab",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the ARN of the newly created key to attach an alias (i.e. display name) to the CMK. The alias name must start with the prefix "alias/":

aws kms create-alias
	--alias-name alias/cc-ebs-volume-cmk
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/1234aaaa-bbbb-cccc-dddd-abcdabcdab

05 Once the Customer Master Key (CMK) is created, the key must be implemented to encrypt/decrypt the EBS volume data. Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from your existing volume. The following example is using an AWS EBS volume identified by the ID vol-abcdabcd:

aws ec2 create-snapshot 
	--volume-id vol-abcdabcd

06 The command output should reveal the EBS snapshot ID:

{
    "Description": "Prod EBS Volume Snapshot",
    "Encrypted": true,
    "VolumeId": "vol-abcdabcd",
    "State": "pending",
     ...
    "VolumeSize": 100,
    "Progress": "",
    "OwnerId": "123456789012"
}

07 Run copy-snapshot command (OSX/Linux/UNIX) to create a copy of the existent EBS snapshot using its ID as the data source ID and the new CMK ARN:

aws ec2 copy-snapshot
	--region us-east-1
	--source-region us-east-1
	--source-snapshot-id snap-12345678
	--encrypted
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234aaaa-bbbb-cccc-dddd-abcdabcdab

08 The command output should return the ID of the new EBS snapshot:

{
    "SnapshotId": "snap-1234abcd"
}

09 Run create-volume command (OSX/Linux/UNIX) to create a new EBS volume from the encrypted snapshot. The following example creates an EBS volume from a source snapshot with the ID snap-1234abcd:

aws ec2 create-volume
	--region us-east-1
	--availability-zone us-east-1a
	--snapshot-id snap-1234abcd
	--volume-type gp2

10 The command output should return the new encrypted EBS volume metadata:

{
    "AvailabilityZone": "us-east-1a",
    "Encrypted": true,
    "VolumeType": "gp2",
    "VolumeId": "vol-aaaabbbb",
    ... 
    "State": "creating",
    "SnapshotId": "snap-1234abcd",
    "CreateTime": "2018-08-21T11:41:33.779Z",
    "Size": 100
}

11 Run detach-volume command (OSX/Linux/UNIX) to detach the original EBS volume (encrypted with the AWS default master key). The following example describes detaching an EBS volume with the ID vol-abcdabcd:

aws ec2 detach-volume 
	--volume-id vol-abcdabcd

12 To attach the new EBS volume (encrypted with the KMS CMK) to the EC2 instance, run attach-volume command (OSX/Linux/UNIX). The following example is attaching an EBS volume with the ID vol-aaaabbbb to an EC2 instance with the ID i-01234567890123456:

aws ec2 attach-volume
	--volume-id vol-aaaabbbb
	--instance-id i-01234567890123456
	--device /dev/sdf

13 The command output should return the attach-volume command request metadata:

{
    "AttachTime": "2018-08-21T14:23:16.112Z",
    "InstanceId": "i-01234567890123456",
    "VolumeId": "vol-aaaabbbb",
    "State": "attaching",
    "Device": "/dev/sdf"
}

References

Publication date Sep 10, 2018