KMS Customer Master Key (CMK) In Use

Risk level: Medium (should be achieved)

Rule ID: KMS-001

Ensure that you have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process. KMS CMK customer-managed keys can be used to encrypt and decrypt data for multiple AWS components such as S3, Redshift, EBS and RDS.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When you define and use your own CMK customer-managed keys, you gain complete control over who can use the keys and access your encrypted data. KMS CMK is providing the ability to create, rotate, disable, enable, and audit the encryption keys used to protect your data.

Note: this guide will use EBS volume encryption as example to demonstrate how CMK customer-managed keys can be used instead of AWS managed-keys. This will assume that you have encryption enabled for your EBS volumes.

Audit

To determine if you have any CMK customer-managed keys in use for your EBS volumes, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/

03 In the navigation panel, under Elastic Block Store, click Volumes.

04 Select the EBS volume that you need to examine.

05 Select the Description tab from the bottom panel.

06 And search for the volume KMS Key Aliases value:

If the KMS key alias (name) used is aws/ebs, the volume is using a AWS managed-key. This key is used by default when you don't specify a CMK for encryption at volume creation. To have full control over the volume encryption, use your own CMK customer-managed keys (see Remediation / Resolution section).

Using AWS CLI

01 Run describe-volumes command (OSX/Linux/UNIX) to determine if a certain EBS volume is encrypted with the AWS CMK default key or with your own CMK customer-managed key. The next example expose the metadata for an EBS volume with the ID vol-f7f65326:

aws ec2 describe-volumes
	--volume-ids vol-f7f65326

02 The command output should return the KMS key ARN (Amazon Resource Name) ID. The ARN ID is returned as the value (highlighted) for the KmsKeyId parameter:

{
    "Volumes": [
        {
            "AvailabilityZone": "us-east-1a",
            "Attachments": [
                {
                    "AttachTime": "2016-04-15T08:15:59.000Z",
                    "InstanceId": "i-b969a624",
                    "VolumeId": "vol-f7f65326",
                    "State": "attached",
                    "DeleteOnTermination": false,
                    "Device": "/dev/sdf"
                }
            ],
            "Encrypted": true,
            "VolumeType": "gp2",
            "VolumeId": "vol-f7f65326",
            "State": "in-use",
            "Iops": 30,
            "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/
                         d6c03026-b0bd-451e-a864-a68355f4f035",
            "SnapshotId": "",
            "CreateTime": "2016-04-15T08:15:14.882Z",
            "Size": 10
        }
    ]
}

03 Run aws kms list-aliases command (OSX/Linux/UNIX) using the same AWS region as the EBS volume to return the KMS key alias (name) used for encryption:

aws kms list-aliases
	--region us-east-1

04 The command output should return the metadata for each KMS key available. Now compare and match the KMS key ARN ID returned earlier with each key TargetKeyID parameter value and find the alias for the key used to encrypt the volume:

{
    "Aliases": [
        {
            "AliasArn": "arn:aws:kms:us-east-1:
                         123456789012:alias/aws/ebs",
            "AliasName": "alias/aws/ebs",
            "TargetKeyId": "d6c03026-b0bd-451e-a864-a68355f4f035"
        },
        {
            "AliasArn": "arn:aws:kms:us-east-1:
                         123456789012:alias/aws/rds",
            "AliasName": "alias/aws/rds"
        },
        {
            "AliasArn": "arn:aws:kms:us-east-1:
                         123456789012:alias/aws/s3",
            "AliasName": "alias/aws/s3"
        }
    ]
}

If the alias for the matched ID is “alias/aws/ebs”, the key used for encryption is a default key / AWS-managed key. To use your own CMK customer-managed key see the next section (Remediation/Resolution).

Remediation / Resolution

To use your own CMK customer-managed key instead of the default / AWS-managed key to encrypt an EBS volume, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to KMS dashboard at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu:

(must match the region where the AWS resource that will use the key was created).

05 Click Create Key button from the top menu.

06 Enter an alias (name) and a description for the new CMK, then click Next Step.

07 Under Key Administrators section, select which IAM users and/or roles can administer the CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the CMK to encrypt/decrypt data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt data. The owners of the external AWS accounts must also provide access to this CMK by creating policies for their IAM users.

10 Click Next Step.

11 Under Preview Key Policy section, click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: MyEBSDataCMK”

12 Now the CMK must be implemented to encrypt/decrypt the EBS volume data. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

13 In the navigation panel, under Elastic Block Store, click Volumes.

14 Select your encrypted EBS volume.

15 Click the Actions dropdown button from the dashboard top menu and select Create Snapshot.

16 In the Create Snapshot dialog box, provide a name and a description for the snapshot (optional) and click Create.

17 In the navigation panel, under Elastic Block Store, click Snapshots.

18 Select your newly created EBS snapshot.

19 Click the Actions dropdown button from the dashboard top menu and select Copy.

20 In the Copy Snapshot dialog box, under Master Key select your new CMK customer-managed key:

and click Copy.

21 Select the new (copied) EBS snapshot.

22 Click the Actions dropdown button from the dashboard top menu and select Create Volume.

23 In the Create Volume dialog box, review the volume configuration details and click Create.

24 Go back to the navigation panel and click Volumes.

25 Select the original EBS volume (encrypted with the AWS-managed key).

26 Click the Actions dropdown button from the dashboard top menu and select Detach Volume.

27 In the Detach Volume dialog box click Yes, Detach.

28 Select the newly created EBS volume (encrypted with your new customer-managed key).

29 Click the Actions dropdown button from the top menu and select Attach Volume.

30 In the Attach Volume dialog box enter your EC2 instance ID and the device name for attachment, then click Attach.

31 Select the Description tab from the bottom panel and make sure the created EBS volume use your own CMK customer-managed key by checking the KMS Key Aliases value:

Using AWS CLI

01 Create a policy that enables the selected IAM users and/or roles to administer the new CMK and the selected IAM users and/or roles to encrypt/decrypt data using the KMS API. Create a new document called ebs-cmk-policy.json and paste the following policy (replace the highlighted details - the ARNs for the IAM users and/or roles - with your details):

{
  "Version": "2012-10-17",
  "Id": "key-policy-1",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/EC2Manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/EC2Admin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/EC2Admin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the AWS region where the data resource is located and the policy name created earlier (ebs-cmk-policy.json) to create the your CMK customer-managed key:

aws kms create-key
	--region us-east-1
	--description 'CMK used for EBS volumes data encryption'
	--policy file://ebs-cmk-policy.json

03 The command output should return the new CMK metadata:

{
    "KeyMetadata": {
        "KeyId": "146e5259-68af-4501-82d3-8fef8b3a50bc",
        "Description": "CMK used for EBS volumes data encryption",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1460740376.447,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/146e5259-68af-4501-82d3-8fef8b3a50bc",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the newly created key ARN to attach an alias (display name) to the CMK. The alias name must start with the prefix "alias/":

aws kms create-alias
	--alias-name alias/MyEBSDataCMK
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/146e5259-68af-4501-82d3-8fef8b3a50bc

05 Once the CMK is created it must be implemented to encrypt/decrypt the EBS volume data. Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from your existing volume. The following example use an EBS volume with the ID vol-f7f65326:

aws ec2 create-snapshot
	--volume-id vol-f7f65326

06 The command output should reveal the EBS snapshot ID:

{
    "Description": "",
    "Encrypted": true,
    "VolumeId": "vol-f7f65326",
    "State": "pending",
    "VolumeSize": 10,
    "Progress": "",
    "StartTime": "2016-04-15T18:04:15.000Z",
    "SnapshotId": "snap-a17c63a0",
    "OwnerId": "123456789012"
}

07 Run copy-snapshot command (OSX/Linux/UNIX) to create a copy of the existent EBS snapshot using its ID as the data source ID and the new CMK customer-managed key ARN:

aws
	--region us-east-1 ec2 copy-snapshot
	--source-region us-east-1
	--source-snapshot-id snap-a17c63a0
	--encrypted
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/146e5259-68af-4501-82d3-8fef8b3a50bc

08 The command output should return the new EBS snapshot ID (snapshot copy):

{
    "SnapshotId": "snap-f1619dbf"
}

09 Run create-volume command (OSX/Linux/UNIX) to create a new EBS volume from the encrypted snapshot. The following example describes creating an EBS volume from a source snapshot with the ID snap-f1619dbf:

aws ec2 create-volume
	--region us-east-1
	--availability-zone us-east-1a
	--snapshot-id snap-f1619dbf
	--volume-type gp2

10 The command output should reveal the new encrypted EBS volume ID:

{
    "AvailabilityZone": "us-east-1a",
    "Encrypted": true,
    "VolumeType": "gp2",
    "VolumeId": "vol-cfd97f1e",
    "State": "creating",
    "Iops": 30,
    "SnapshotId": "snap-f1619dbf",
    "CreateTime": "2016-04-15T18:21:03.779Z",
    "Size": 10
}

11 Run detach-volume command (OSX/Linux/UNIX) to detach the original EBS volume (encrypted with the AWS-managed key). The following example describes detaching an EBS volume with the ID vol-f7f65326:

aws ec2 detach-volume
	--volume-id vol-f7f65326

12 To attach the new EBS volume (encrypted with your CMK customer-managed key) to the EC2 instance run attach-volume command (OSX/Linux/UNIX). The following example describes attaching an EBS volume with the ID vol-cfd97f1e to an EC2 instance with the ID i-b969a624:

aws ec2 attach-volume
	--volume-id vol-cfd97f1e
	--instance-id i-b969a624
	--device /dev/sdf

13 The command output should return the encrypted EBS volume state (attaching in this case) :

{
    "AttachTime": "2016-04-15T18:28:46.112Z",
    "InstanceId": "i-b969a624",
    "VolumeId": "vol-cfd97f1e",
    "State": "attaching",
    "Device": "/dev/sdf"
}

References

AWS Command Line Interface (CLI) Documentation
kms
describe-key
create-key
create-alias
describe-volumes
describe-snapshots
create-snapshot
copy-snapshot
detach-volume
attach-volume

Publication date Apr 16, 2016

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

KMS Customer Master Key (CMK) In Use

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related KMS rules