- Knowledge Base
- Amazon Web Services
- Default Key Usage
Ensure that your AWS cloud services and resources are using customer-provided Customer Master Keys (CMKs) instead of default (AWS-managed) keys, in order to have full control over data encryption and decryption process, and meet compliance requirements. The default master keys are used by AWS cloud services such as RDS, EBS, Lambda, Elastic Transcoder, Redshift, SES, SQS, CloudWatch, EFS, S3 or Workspaces when no other key is defined to encrypt a resource for those services. The default key can't be modified to ensure its availability, durability, and security.
Security When you use your own Amazon KMS Customer Master Keys (CMKs) to protect your cloud data, you have complete control over who can use the master keys to access your data, implementing the Principle of Least Privilege (POLP) on encryption key ownership and usage. Amazon KMS service allows you to easily create, rotate, disable, and audit customer-provided Customer Master Keys (CMKs) for your cloud data.
Note: As an example, this conformity rule demonstrates how customer-provided Customer Master Keys (CMKs) can be used to encrypt Amazon EBS volumes instead of default (AWS-managed) keys.
Audit
To determine if the default Amazon KMS keys are used to encrypt EBS volumes within your AWS account, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.
03 In the navigation panel, under Elastic Block Store, choose Volumes.
04 Click inside the Filter by tags and attributes or search by keyword box, choose Encryption and select Encrypted. The Amazon EC2 console will list only the EBS volumes that are currently encrypted.
05 Select the encrypted Amazon EBS volume that you want to examine.
06 Choose the Description tab from the console bottom panel and check the KMS Key Aliases attribute value. If the KMS Key Aliases value is set to aws/ebs, the selected Amazon EBS volume is encrypted using the default master key created by Amazon KMS within the current AWS region. This key is managed by AWS and is implemented by default when you don't specify a customer-provided Customer Master Key at volume creation.
07 Repeat steps no. 5 and 6 for each encrypted Amazon EBS volume available in the current AWS region.
08 Change the AWS cloud region from the navigation bar to perform the Audit process for other regions.
Using AWS CLI
01 Run describe-volumes command (OSX/Linux/UNIX) with custom query filters to describe the ID of each encrypted Amazon EBS volume provisioned in the selected AWS cloud region:
aws ec2 describe-volumes --region us-east-1 --filters Name=encrypted,Values=true --query 'Volumes[*].VolumeId'
02 The command output should return the requested volume ID(s):
[ "vol-0abcd1234abcd1234", "vol-01234abcd1234abcd" ]
03 Execute describe-volumes command (OSX/Linux/UNIX) using the ID of the encrypted EBS volume that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the master key used to encrypt the selected volume:
aws ec2 describe-volumes --region us-east-1 --volume-ids vol-0abcd1234abcd1234 --query 'Volumes[*].KmsKeyId'
04 The command output should return the requested Amazon Resource Name (ARN):
[ "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd" ]
05 Run describe-key command (OSX/Linux/UNIX) using the ARN of the master key returned at the previous step as the identifier parameter and custom query filters to describe manager of the specified KMS key:
aws kms describe-key --region us-east-1 --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd --query 'KeyMetadata.KeyManager'
06 The command output should the master key manager ("AWS" if the master key is AWS-managed – default key, and "CUSTOMER" if the key is customer-provided):
"AWS"
If the describe-key command output returns "AWS", as shown in the example above, the selected Amazon EBS volume is encrypted using the default master key created by Amazon KMS service in the selected AWS region. This key is managed by AWS and is implemented by default when you don't specify a customer-provided Customer Master Key at volume creation.
07 Repeat steps no. 3 – 6 for each encrypted Amazon EBS volume available in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To use customer-provided Amazon KMS Customer Master Keys (CMKs) instead of default (AWS-managed) master keys to encrypt your EBS volumes, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"KMSKEY": {
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": true,
"KeySpec": "SYMMETRIC_DEFAULT",
"KeyUsage": "ENCRYPT_DECRYPT",
"Description": "Symmetric Amazon KMS Customer Master Key",
"KeyPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/cloud-resource-manager"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/cloud-resource-manager"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
}
},
"KMSKEYAlias": {
"Type": "AWS::KMS::Alias",
"Properties": {
"AliasName": "alias/EBSVolumeCMK",
"TargetKeyId": {
"Ref": "KMSKEY"
}
}
},
"EBSVolumeSnapshot": {
"Type": "AWS::EC2::Snapshot",
"Properties": {
"VolumeId": "vol-0abcd1234abcd1234"
}
},
"EBSSnapshotCopy": {
"Type": "AWS::EC2::Snapshot",
"Properties": {
"SnapshotId": {
"Ref": "EBSVolumeSnapshot"
},
"Encrypted": true
}
},
"EncryptedEBSVolume": {
"Type": "AWS::EC2::Volume",
"Properties": {
"SnapshotId": {
"Ref": "EBSSnapshotCopy"
},
"AvailabilityZone": "us-east-1b",
"Encrypted": true,
"KmsKeyId": {
"Ref": "KMSKEY"
}
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Resources: KMSKEY: Type: AWS::KMS::Key Properties: Enabled: true KeySpec: SYMMETRIC_DEFAULT KeyUsage: ENCRYPT_DECRYPT Description: Symmetric Amazon KMS Customer Master Key KeyPolicy: Version: '2012-10-17' Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: arn:aws:iam::123456789012:root Action: kms:* Resource: '*' - Sid: Allow access for Key Administrators Effect: Allow Principal: AWS: arn:aws:iam::123456789012:user/kms-key-admin Action: - kms:Create* - kms:Describe* - kms:Enable* - kms:List* - kms:Put* - kms:Update* - kms:Revoke* - kms:Disable* - kms:Get* - kms:Delete* - kms:TagResource - kms:UntagResource - kms:ScheduleKeyDeletion - kms:CancelKeyDeletion Resource: '*' - Sid: Allow use of the key Effect: Allow Principal: AWS: - arn:aws:iam::123456789012:user/cloud-resource-manager Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt* - kms:GenerateDataKey* - kms:DescribeKey Resource: '*' - Sid: Allow attachment of persistent resources Effect: Allow Principal: AWS: - arn:aws:iam::123456789012:user/cloud-resource-manager Action: - kms:CreateGrant - kms:ListGrants - kms:RevokeGrant Resource: '*' Condition: Bool: kms:GrantIsForAWSResource: 'true' KMSKEYAlias: Type: AWS::KMS::Alias Properties: AliasName: alias/EBSVolumeCMK TargetKeyId: !Ref 'KMSKEY' EBSVolumeSnapshot: Type: AWS::EC2::Snapshot Properties: VolumeId: vol-0abcd1234abcd1234 EBSSnapshotCopy: Type: AWS::EC2::Snapshot Properties: SnapshotId: !Ref 'EBSVolumeSnapshot' Encrypted: true EncryptedEBSVolume: Type: AWS::EC2::Volume Properties: SnapshotId: !Ref 'EBSSnapshotCopy' AvailabilityZone: us-east-1b Encrypted: true KmsKeyId: !Ref 'KMSKEY'
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
profile = "default"
region = "us-east-1"
}
resource "aws_kms_key" "kms-key" {
is_enabled = true
customer_master_key_spec = "SYMMETRIC_DEFAULT"
key_usage = "ENCRYPT_DECRYPT"
description = "Symmetric Amazon KMS Customer Master Key"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/cloud-resource-manager"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/cloud-resource-manager"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
EOF
}
resource "aws_kms_alias" "kms-key-alias" {
target_key_id = aws_kms_key.kms-key.key_id
name = "alias/EBSVolumeCMK"
}
resource "aws_ebs_snapshot" "ebs-volume-snapshot" {
volume_id = "vol-0abcd1234abcd1234"
}
resource "aws_ebs_snapshot_copy" "ebs-snapshot-copy" {
source_snapshot_id = aws_ebs_snapshot.ebs-volume-snapshot.id
encrypted = true
}
resource "aws_ebs_volume" "encrypted-ebs-volume" {
snapshot_id = aws_ebs_snapshot_copy.ebs-snapshot-copy.id
availability_zone = "us-east-1b"
encrypted = true
kms_key_id = aws_kms_key.kms-key.key_id
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.
03 In the navigation panel, under Key Management Service (KMS), select Customer managed keys.
04 Choose the Create Key button from the console top menu to initiate the CMK setup process.
05 For Step 1 Configure key, perform the following actions:
- Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
- Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
- Under Advanced options, for Regionality, select whether**to allow the new key to be replicated into other AWS regions.
- Choose Next to continue.
06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – _optiona_l box. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Next to continue the setup process.
07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.
08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accountssection, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your EBS volume data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Nextto continue.
09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your specific Amazon KMS Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".
10 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.
11 In the navigation panel, under Elastic Block Store, choose Volumes.
12 Select the Amazon EBS volume that you want to encrypt using your new customer-provided Customer Master Key (CMK).
13 Choose the Actions dropdown button from the console top menu and select Create Snapshot.
14 On the Create Snapshot setup page, provide a short description in the Description box, and choose Create Snapshot. Choose Close to return to the EC2 console.
15 In the navigation panel, under Elastic Block Store, choose Snapshots.
16 Select the newly created Amazon EBS snapshot, choose Actions, and select Copy.
17 In the Copy Snapshot configuration box, select Encrypt this snapshotcheckbox, choose the customer-provided Customer Master Key (CMK) created earlier in the Remediation section from the Master key dropdown list, and choose Copy. Click Close to return to the Snapshots page.
18 Select the new (copied) Amazon EBS snapshot, choose Actions, and select Create Volume.
19 On the Create Volume setup page, make sure that the appropriate customer-provided Customer Master Key (CMK) is selected from the Master Key dropdown list, review the volume configuration details, then choose Create Volume. Click Close to return to the Amazon EC2 console.
20 (Optional) To replace the volume encrypted with the default master key with the one encrypted with customer-provided CMK within the Amazon EC2 instance configuration, perform the following actions:
- In the navigation panel, under Elastic Block Store, choose Volumes.
- Select the original Amazon EBS volume, encrypted with the default master key.
- Choose the Actions dropdown button from the console top menu and select Detach Volume.
- Inside the Detach Volume dialog box, choose Yes, Detach.
- Select the newly created Amazon EBS volume, encrypted with the new customer-provided Customer Master Key (CMK).
- Choose the Actions button from the console top menu and select Attach Volume.
- In the Attach Volume configuration box, select the ID of the EC2 instance detached at step c. from the Instance box, provide the device name required for attachment in the Device box, then choose Attach.
21 Repeat steps no. 12 – 20 to configure customer-provided Customer Master Keys (CMKs) for other Amazon EBS volumes available within the current AWS region.
22 Change the AWS cloud region from the navigation bar to perform the Remediation process for other regions.
Using AWS CLI
01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your EBS data using the KMS API. Create a new policy document (JSON format), name the file ebs-volume-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Id": "protected-cmk-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e.ebs-volume-cmk-policy.json) as value for the --policy parameter, to create your new, customer-provided Customer Master Key (CMK):
aws kms create-key --region us-east-1 --description 'Customer Master Key for EBS Volume Encryption' --policy file://ebs-volume-cmk-policy.json --query 'KeyMetadata.Arn'
03 The command output should return the ARN of the new Customer Master Key (CMK):
"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):
aws kms create-alias --region us-east-1 --alias-name alias/EBSVolumeCMK --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
05 Once your customer-provided Customer Master Key (CMK) is created, re-create the Amazon EBS volume(s) that you want to encrypt using the new CMK. Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from the specified EBS volume:
aws ec2 create-snapshot --region us-east-1 --volume-id vol-0abcd1234abcd1234
06 The output should return the create-snapshot command request metadata:
{
"Description": "",
"Tags": [],
"Encrypted": true,
"VolumeId": "vol-0abcd1234abcd1234",
"State": "pending",
"VolumeSize": 150,
"StartTime": "2021-06-20T11:37:31.000Z",
"Progress": "",
"OwnerId": "123456789012",
"SnapshotId": "snap-0abcd1234abcd1234"
}
07 Run copy-snapshot command (OSX/Linux/UNIX) to copy the EBS volume snapshot created at the previous steps. Use the --kms-key-id command parameter to encrypt the snapshot copy with your new customer-provided Customer Master Key (CMK):
aws ec2 copy-snapshot --region us-east-1 --source-region us-east-1 --source-snapshot-id snap-0abcd1234abcd1234 --encrypted --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
08 The command output should return the ID of the new EBS volume snapshot:
{
"SnapshotId": " snap-01234abcd1234abcd"
}
09 Run create-volume command (OSX/Linux/UNIX) to create a new Amazon EBS volume from the encrypted snapshot (copy) created at the previous steps. Make sure to include the --kms-key-id command parameter to encrypt the new EBS volume with your customer-provided Customer Master Key (CMK):
aws ec2 create-volume --region us-east-1 --volume-type gp2 --size 150 --availability-zone us-east-1a --snapshot-id snap-01234abcd1234abcd --encrypted --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
10 The command output should return the metadata available for the new encrypted EBS volume:
{
"AvailabilityZone": "us-east-1a",
"MultiAttachEnabled": false,
"Tags": [],
"Encrypted": true,
"VolumeType": "gp2",
"VolumeId": "vol-0abcdabcdabcdabcd",
"State": "creating",
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234",
"SnapshotId": "snap-01234abcd1234abcd",
"Iops": 100,
"CreateTime": "2021-06-28T11:00:00.000Z",
"Size": 150
}
11 To replace the volume encrypted with the default master key with the one encrypted with customer-provided CMK within the Amazon EC2 instance configuration, perform the following actions:
- Run detach-volume command (OSX/Linux/UNIX) to detach the original Amazon EBS volume, encrypted with the default master key, from the specified EC2 instance:
aws ec2 detach-volume --region us-east-1 --volume-id vol-0abcd1234abcd1234
- The output should return the detach-volume command request metadata:
{ "AttachTime": "2021-06-28T12:00:19.000Z", "InstanceId": "i-01234123412341234", "VolumeId": "vol-0abcd1234abcd1234", "State": "detaching", "Device": "/dev/sdf" } - To attach the new EBS volume (encrypted with the customer-provided CMK) to the selected Amazon EC2 instance, run attach-volume command (OSX/Linux/UNIX):
aws ec2 attach-volume --volume-id vol-0abcdabcdabcdabcd --instance-id i-01234123412341234 --device /dev/sdf
- The output should return the attach-volume command request metadata:
{ "AttachTime": "2021-06-28T13:00:19.000Z", "InstanceId": "i-01234567890123456", "VolumeId": "vol-0abcdabcdabcdabcd", "State": "attaching", "Device": "/dev/sdf" }
12 Repeat steps no. 6 – 12 to configure customer-provided Customer Master Keys (CMKs) for other Amazon EBS volumes available in the selected AWS region.
13 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- What is AWS Key Management Service?
- AWS Key Management Service Concepts
- Creating Keys
- Amazon EBS Encryption
- Copying an Amazon EBS Snapshot
- AWS Command Line Interface (CLI) Documentation
- kms
- list-aliases
- create-key
- create-alias
- ec2
- describe-volumes
- create-snapshot
- create-volume
- copy-snapshot
- detach-volume
- attach-volume
Related KMS rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Default Key Usage
Risk Level: Medium