Open menu
-->

AWS KMS Unknown Cross Account Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that all your AWS Key Management Service keys are configured to be accessed only by trusted AWS accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).

This rule resolution is part of the Cloud Conformity Security Package

Allowing untrustworthy cross account access to your AWS KMS master keys will enable foreign AWS accounts to gain control over who can use the keys and access the data encrypted with these keys. To prevent sensitive data leaks and data loss, grant access only to the trusted entities by implementing the appropriate IAM access policies.

Audit

To determine if there are any AWS KMS keys that allow unknown cross account access, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Click on the KMS master key that you want to examine, e.g. Click on the KMS master key that you want to examine.

05 On the selected key configuration page, inside the Key Policy section, identify the AWS account ID e.g.

the AWS account ID or the AWS account ARN (e.g. the AWS account ARN), defined as value(s) for the access policy Principal element.

06 Sign in to your Cloud Conformity console, access the KMS Keys Account Access conformity rule settings and compare the identifier(s) found at the previous step (ID(s)/ARN(s)) against each identifier listed in the rule configuration section. If the identifier found within the access policy does not match any of the trusted account entities listed on your Cloud Conformity console, the cross account access to the selected AWS KMS master key is not secured.

07 Repeat steps no. 4 - 6 to verify the access policy for other Amazon KMS keys available in the current region for unknown cross account access.

08 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-aliases command (OSX/Linux/UNIX) to list the identifiers (i.e. IDs) of all AWS KMS master keys currently available in the selected region:

aws kms list-aliases
    --region us-east-1
    --query 'Aliases[*].TargetKeyId'

02 The command output should return the available KMS keys IDs:

[
    "3183fccd-25df-4545-bc32-1171cabd3442",
    "5802e0f2-ec36-4f3c-806a-89f454193b39",
    "55034280-8f14-4d56-bd98-2bb476d18932"
]

03 Run get-key-policy command (OSX/Linux/UNIX) using the KMS key ID returned at the previous step to describe the access policy used by the selected key:

aws kms get-key-policy
    --region us-east-1
    --key-id 3183fccd-25df-4545-bc32-1171cabd3442
    --policy-name default

04 The command output should return the KMS master key access policy in JSON format:

{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-5",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },

    ...

    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/ec2-manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    }
  ]
}

05 Identify the AWS account ID (e.g. 123456789012) or account ARN (e.g. arn:aws:iam::123456789012:root) defined as value(s) for the Principal element (highlighted) listed in your access policy returned at the previous step.

06 Sign in to your Cloud Conformity console, access the KMS Keys Account Access conformity rule settings and compare the identifier(s) found at the previous step (ID(s)/ARN(s)) against each identifier listed in the rule configuration section. If the identifier found within the access policy does not match any of the trusted account entities listed on your Cloud Conformity console, the cross account access to the selected AWS KMS master key is not secured.

07 Repeat steps no. 3 - 6 to verify the access policy for other Amazon KMS master keys available in the current region for unknown cross account access.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

To update your Amazon KMS keys permissions in order to allow cross account access only to trusted entities, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

04 Click on the KMS key that you want to reconfigure (see Audit section part I to identify the right AWS resource).

05 On the selected key configuration page, inside the Key Policy section, replace the existing (untrusted) AWS identifier(s) available as the Principal element value(s), e.g. arn:aws:iam::123456789012:root, with the trusted one(s), defined on your Cloud Conformity console.

06 Click Save Changes to apply the policy changes.

07 Repeat steps no. 4 - 6 to update the access policy for other AWS KMS master keys available in the current region in order to block requests from unauthorized (foreign) AWS accounts.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Edit your Amazon KMS key access policy and replace the untrusted AWS identifier(s) with the trusted one(s), then save the policy in a JSON document (e.g. kms-cross-account-access-policy.json). You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your custom access policies. The following example contains a KMS policy document that allows another (friendly) AWS account identified by the ARN "arn:aws:iam::366139253587:root" to perform any actions on the selected KMS master key:

{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-5",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::366139253587:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },

    ...

    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/ec2-manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    }
  ]
}

02 Run put-key-policy command (OSX/Linux/UNIX) using the ID of the KMS master key that you want to reconfigure (see Audit section part II to identify the right key) to replace the existing access policy with the one defined at the previous step, i.e. kms-cross-account-access-policy.json, (the command does not return an output):

aws kms put-key-policy --region us-east-1
    --key-id 3183fccd-25df-4545-bc32-1171cabd3442
    --policy-name default
    --policy file://kms-cross-account-access-policy.json

03 Repeat step no. 1 and 2 to update the access policy for other AWS KMS keys available in the current region in order to block requests from unauthorized cross account entities.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.

References

Publication date Dec 23, 2016