Description:

AWS Key Management Service (KMS) allows administrators to create, delete and control keys that encrypt data stored in AWS database products. KMS makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules(HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS  CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs. In AWS KMS, you must attach resource-based policies to your customer master keys (CMKs). These are called key policies. 


Rationale:

KMS keys exposed would negatively affect if an external threat has access to this information.

 If AWS KMS keys are shared with all or grant permission to everyone it is bad practice and can lead to sensitive data leakage.


Impact:

No KMS exposure gives the least privilege, Decrypt and reduce the possibility for exposure. AWS allows you to separate the usage permissions from administration permissions associated with the key. This technique helps prevent unauthorized users from granting themselves KMS access and also protects their sensitive information.


Default Value:

The default policy enables any principal you define, as well as enables the root user in the account to add IAM policies that reference the key


Audit:

Step 1: Log in to the AWS Management Console and Navigate to the KMS dashboard at https://console.aws.amazon.com/kms/.

Step 2: Click on Customer managed keys in the left navigation panel 

Step 3: Click on the KMS master key that you want to examine,

Step 4:  Inside the key policy tab of selected aliases verify the policy, If the principal element promotes a certain AWS account means this key is used for a particular IAM user account.

If “Principal”: { “AWS”:”*”} it means the selected AWS KMS key is exposed to everyone on the internet.

Step 5: For auditing of all other listed KMS keys available in you account to repeat the step 3 -4.


Remediation:

Implementation Steps:

Step 1: Log in to the AWS Management Console and Navigate to the KMS dashboard at https://console.aws.amazon.com/kms/.

Step 2: Click on Customer managed keys in the left navigation panel 


Step 3: Click on the KMS master key that you want to modify after the auditing if it exposes 

Step 4: In Key policy click on Switch to policy view


Step 5: in Key policy, you change the “Principal” if “AWS”:[ “*”] } to give particular IAM users  as per the below example

"Principal": {
                "AWS": [
                "arn:aws:iam::123456789123:user/u[email protected]",
                "arn:aws:iam::123456789321:user/tester"
                ]
              },


you can add or remove from Key users or Key Administrator




Backout Plan:

Follow the step to disable or Schedule key deletion 

Step 1: Log in to the AWS Management Console and Navigate to the KMS dashboard at https://console.aws.amazon.com/kms/.

Step 2: Click on Customer managed keys in the left navigation panel 

Step 3: Select those Key that you want to disable or Schedule key deletion

Step 4:  Click on Key actions from this menu list click on Disable  if you want to delete this key then click on Schedule key deletion

Step 5:  If you select disable then click on the check box to  confirm that you want to disable the key and then click on disable key button


  • If you want to delete and go with Schedule key deletion set the waiting period (min 7 days and max 30 days) and then click on the check box to confirm that you want to schedule these keys for deletion after a __ days waiting period. and then click on the Schedule deletion button.


References:

  1. What is AWS Key Management Service? - AWS Key Management Service

  2. https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf

  3. https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service

  4. Determining access to an AWS KMS customer master key - AWS Key Management Service