Profile Applicability:

  • Level 2

Description:

AWS KMS (Key Management Service) allows you to create customer managed keys (CMKs) for encrypting data. Multi-Region keys allow the same KMS key to be used across multiple AWS regions, which can be convenient, but it also introduces potential risks. Ensuring that KMS CMKs are not multi-region helps to avoid cross-region key sharing vulnerabilities and can reduce the exposure of sensitive encryption keys. This SOP ensures that all KMS CMKs are region-specific, providing a more secure, localized encryption solution.

Rationale:

  • Security: Multi-region keys introduce the risk of key exposure if the key is used in multiple regions. Ensuring that CMKs are region-specific minimizes the attack surface.

  • Compliance: Many compliance standards and regulations require encryption keys to be region-specific to limit cross-border data access and better control over data protection.

  • Key Management: Managing encryption keys within a specific region reduces complexity in key lifecycle management and helps adhere to best practices for regional isolation of sensitive data.

Impact:

Pros:

  • Reduced Risk: Limits the exposure of KMS CMKs by ensuring they are not shared across multiple regions.

  • Compliance: Ensures the encryption keys adhere to regulatory requirements for region-specific data protection.

  • Easier Key Management: Managing region-specific keys is less complex and provides better control over key usage and policies.

Cons:

  • Cross-region Usage: If you require cross-region access to data, using region-specific KMS keys might necessitate the creation of separate keys for each region, leading to additional management overhead.

  • Increased Complexity: Managing keys in multiple regions may require creating new keys for each region and updating key usage policies.

Default Value:

By default, AWS KMS CMKs are created within a specific region and are not multi-region. Multi-region keys must be explicitly created when configuring KMS.

Pre-requisite:

  • AWS IAM Permissions:

    • kms:DescribeKey

    • kms:ListKeys

    • kms:ListAliases

    • kms:DescribeKey

  • AWS CLI installed and configured.

  • Ensure that you have appropriate permissions to view and manage KMS keys in your AWS account.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS KMS under Services.

  3. In the KMS Dashboard, go to Customer managed keys.

  4. For each KMS CMK:

    • Check if the Key Type is Multi-Region.

    • If Multi-Region is enabled, the key will be listed under the Multi-Region Keys section.

  5. If any KMS CMK is multi-region, it will need to be modified or deleted as per your organization's security policy.

Using AWS CLI:

  1. To list all KMS CMKs and their multi-region status, run the following command:

    aws kms list-keys --query 'Keys'

  2. For each key, check if the KeySpec indicates multi-region support. You can do this by describing the key:

    aws kms describe-key --key-id <key-id> --query 'KeyMetadata.MultiRegion'

  3. If the result is true, the KMS key is a multi-region key.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to AWS KMS.

  2. In the KMS Dashboard, select Customer Managed Keys.

  3. Identify any multi-region keys under the Multi-Region Keys section.

  4. If you find a multi-region key:

    • Create a new region-specific KMS CMK in the desired region.

    • Update your applications or services to use the new region-specific key.

    • Delete the multi-region key to comply with security best practices.

Using AWS CLI:

  1. To disable multi-region support for a KMS CMK, you must create a new region-specific CMK. Run the following to create a new key:

    aws kms create-key --region <region> --key-spec <key-spec> --key-usage <key-usage>

  2. After creating a region-specific CMK, you can update your applications to use the new key.

  3. To delete the multi-region key:

    aws kms schedule-key-deletion --key-id <key-id> --pending-window-in-days 7

Backout Plan:

Using AWS Console:

  1. If deleting the multi-region key causes issues, you can cancel the deletion by selecting the key and choosing Cancel Deletion.

  2. If the key was incorrectly identified as multi-region, ensure that it is properly reconfigured for your region-specific needs.

Using AWS CLI:

  1. To cancel a key deletion that is in progress, run:

    aws kms cancel-key-deletion --key-id <KEY_ID>

  2. Verify that the key is no longer scheduled for deletion:

    aws kms describe-key --key-id <KEY_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.