Open menu

AWS KMS Exposed Keys

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Home Knowledge Base KMS AWS KMS Exposed Keys
Last updated: 13 April 2018
Security

Risk level: High (not acceptable risk)

Identify any publicly accessible AWS Key Management Service master keys and update their access policy in order to stop any unsigned requests made to these resources.

This rule resolution is part of the Cloud Conformity Tool

Allowing anonymous access to your AWS KMS keys is considered bad practice and can lead to sensitive data leakage. One common scenario is when an AWS user grants permissions to everyone for using the KMS key but forgets adding the Condition clauses to the key policy in order to filter the access to certain accounts.

Audit

To determine if your AWS KMS master keys are opened to the world, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Click on the KMS master key that you want to examine, e.g.

KMS master key

05 On the selected key configuration page, inside the Key Policy section, verify the policy document defined for the selected KMS key. If the Principal element does not promote as certain AWS account, e.g. "Principal": { "AWS": "*" }, and the policy is not using any Condition clauses such as 'Condition': {'StringEquals': { 'kms:CallerAccount': '<aws_account_number>' } } to filter the access, the selected AWS KMS key is exposed to everyone on the Internet.

06 Repeat steps no. 4 - 6 to determine if other KMS master keys available in the current region are publicly accessible.

07 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-aliases command (OSX/Linux/UNIX) to list the identifiers (i.e. IDs) of all AWS KMS master keys currently available in the selected region: 

aws kms list-aliases
    --region us-east-1
    --query 'Aliases[*].TargetKeyId'

02 The command output should return the available KMS keys IDs: 

[
    "c84a8fab-6c42-4b33-ad64-a8e0b0ec0a15",
    "4102e0f2-ec36-4f3c-806a-89f454193ba9"
]

03 Run get-key-policy command (OSX/Linux/UNIX) using the KMS key ID returned at the previous step to describe the access policy used by the selected key: 

aws kms get-key-policy
    --region us-east-1
    --key-id c84a8fab-6c42-4b33-ad64-a8e0b0ec0a15
    --policy-name default

04 The command output should return the KMS master key access policy in JSON format: 

{
  "Version": "2012-10-17",
  "Id": "KeyPolicy1568312239560",
  "Statement": [
    {
      "Sid": "StmtID1672312238115",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "kms:*",
      "Resource": "*"
    },

    ...

    {
      "Sid": "StmtID1722312238244",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/redshift-manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    }
  ]
}

If the "Principal" element value is set to { "AWS": "*" } and the policy statement is not using any Condition clauses to filter the access, as shown in the example above, the selected AWS KMS master key is publicly accessible.

05 Repeat steps no. 3 and 4 to determine if other KMS master keys available in the current region are opened to public access.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To block anonymous access to your Amazon KMS master keys, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

04 Click on the KMS key that you want to reconfigure (see Audit section part I to identify the right resource).

05 On the selected key configuration page, inside the Key Policy section, perform one of the following actions:

  1. Replace the "Everyone" grantee (i.e. '*') from the Principal element value with an AWS account ID (e.g. '123456789012') or an AWS account ARN (e.g. 'arn:aws:iam::123456789012:root').
  2. Add a Condition clause such as "Condition': {"StringEquals": { "kms:CallerAccount": "123456789012" } } to the existing policy statement, e.g. existing policy statement.

06 Click Save Changes to apply the policy changes.

07 Repeat steps no. 4 - 6 to update the access policy for other AWS KMS master keys available in the current region in order to block anonymous access.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, define the necessary access policy for your AWS KMS key and save it in a JSON file named kms-account-based-access-policy.json. You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your custom access policies. The following example describes a policy document that grants access to an AWS account identified by the ID number 456139253105 to perform any actions on the selected KMS master key: 

{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-10",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "kms:*",
      "Condition': {
        "StringEquals": {
          "kms:CallerAccount": "456139253105"
        }
      },
      "Resource": "*"
    },

    ...

    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/redshift-manager"
      },
      "Action": [
        "kms:CreateGrant*",
        "kms:ListGrants*",
        "kms:RevokeGrant*"
      ],
      "Resource": "*"
    }
  ]
}

02 Run put-key-policy command (OSX/Linux/UNIX) using the ID of the KMS master key that you want to reconfigure (see Audit section part II to identify the right KMS key) to replace the existing access policy with the one defined at the previous step, i.e. kms-account-based-access-policy.json, (the command does not return an output): 

aws kms put-key-policy
    --region us-east-1
    --key-id c84a8fab-6c42-4b33-ad64-a8e0b0ec0a15
    --policy-name default
    --policy file://kms-account-based-access-policy.json

03 Repeat step no. 1 and 2 to update the access policy for other AWS KMS keys available in the current region in order to block public access.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.

References

Publication date Dec 23, 2016

Related KMS rules