Description:

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.


Rationale:

KMS keys exposed would negatively effect if external threat has access to this information.


Remediation:

AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext CMKs from the service. The service uses hardware security modules (HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to protect the confidentiality and integrity of your keys regardless of whether you use AWS KMS or AWS CloudHSM to create your keys or you import them into the service yourself. Your plaintext CMKs never leave the HSMs, are never written to disk and are only ever used in the volatile memory of the HSMs for the time needed to perform your requested cryptographic operation. AWS KMS keys are never transmitted outside of the AWS regions in which they were created. Updates to software on the service hosts and to the AWS KMS HSM firmware is controlled by multi-party access control that is audited and reviewed by an independent group within Amazon as well as a NIST-certified lab in compliance with FIPS 140-2.


Encrypting PCI Data Using AWS KMSSince security and quality controls in AWS KMS have been validated and certified to meet the requirements of PCI DSS Level 1 certification, you can directly encrypt Primary Account Number (PAN)data with an AWS KMS CMK.The use of a CMK to directly encrypt data removes some of the burden of managing encryption libraries. Additionally, a CMK can’t be exported from AWS KMS, which alleviates the concern about the encryption key being stored in an insecure manner. As all KMS requests are logged in CloudTrail, use of the CMK can be audited by reviewing the CloudTrail logs. It’s important to be aware of the requests per second limit when designing applications that use the CMK directly to protect Payment Card Industry (PCI)data.


AWS KMS and IAM Policies You can use AWS Identity and Access Management (IAM)policies in combination with key policies to control access to your customer master keys (CMKs)in AWS KMS. This section discusses using IAM in the context of AWS KMS. It doesn’t provide detailed information about the IAM service. For complete IAM documentation, see the AWS IAM User Guide.5 Policies attached to IAM identities (that is, users, groups, and roles) are called identity-based policies(or IAM policies).Policies attached to resources outside of IAM are called resource-based policies. In AWS KMS, you must attach resource-based policies to your customer master keys (CMKs). These are called key policies. All KMS CMKs have a key policy, and you must use it to control access to a CMK. IAM policies by themselves are not sufficient to allow access to a CMK, although you can use them in combination with a CMK key policy. To do so, ensure that the CMK key policy includes the policy statement that enables IAM policies.6By using an identity-based IAM policy, you can enforce least privilege by granting granular access to KMS API calls within an AWS account. Remember,IAM policies are based on a policy of default-denied unless you explicitly grant permission to a principal to perform an action



Reference:

https://aws.amazon.com/kms/