Profile Applicability

  • Level 1

Description:

Customer Managed Keys (CMKs) are the encryption keys created and controlled by customers in AWS Key Management Service (KMS). Disabling or scheduling the deletion of CMKs can significantly affect the ability to decrypt data that has been encrypted using those keys. Monitoring these actions is crucial to ensure that the security and integrity of encrypted data is maintained.

Changes such as the disabling or scheduling deletion of CMKs should be carefully tracked to prevent accidental loss of access to encrypted data or unauthorized changes to key configurations.

Rationale:

Disabling or scheduling the deletion of CMKs could result in:

  • Inability to decrypt sensitive data encrypted with those keys.

  • Potential loss of data if the key is deleted without proper safeguards or backup keys.

  • Compliance violations if key management practices are not properly monitored.

By monitoring changes to CMK status, organizations ensure that key lifecycle events are intentional and authorized, thereby maintaining the security of encrypted resources.

Impact:

Failure to monitor CMK disabling or deletion can result in:

  • Unintended loss of data access due to key unavailability.

  • Unauthorized access or tampering with cryptographic keys.

  • Violations of security policies or compliance requirements (e.g., GDPR, HIPAA).

Monitoring CMK changes ensures that encryption keys are managed securely and that any actions taken on them are validated.

Default Value:

By default, AWS does not automatically monitor actions such as disabling or scheduling deletion of CMKs. However, these actions can be tracked through AWS CloudTrail, which logs KMS events, including key disabling and deletion scheduling.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • kms:DescribeKey

    • cloudtrail:LookupEvents

    • config:DescribeConfigurationRecorder

  • CloudTrail and AWS Config enabled across all AWS regions for monitoring CMK changes

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the CloudTrail Console.

  2. Ensure that Management Events are enabled for capturing KMS-related events, particularly those related to CMK disabling or deletion.

  3. Go to the AWS Config Console and confirm that the Configuration Recorder is enabled for KMS-related resources.

  4. Review CloudTrail logs to ensure that CMK disabling or deletion events are captured.

Using AWS CLI:

aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>'].{Name:Name, S3BucketName:S3BucketName}" --output table

To verify if AWS Config is tracking CMK configuration changes:

aws configservice describe-configuration-recorders --query "ConfigurationRecorders[?recordingGroup.allSupported==`true`].{Name:name, RecordingGroup:recordingGroup}" --output table
Implementation Plan:

Using AWS Console:

  1. Enable CloudTrail logging for KMS actions:

    • Go to the CloudTrail Console.

    • Ensure Management Events are enabled, especially for KMS operations, and that logs are stored in an S3 bucket for long-term access.

  2. Enable AWS Config to monitor KMS configurations:

    • In the AWS Config Console, enable the Configuration Recorder.

    • Ensure that KMS keys are included as part of the configuration recording to track any changes to CMK status.

Using AWS CLI:

  1. Verify CloudTrail is logging CMK-related events:

aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>'].{Name:Name, S3BucketName:S3BucketName}" --output table

  1. Enable AWS Config to track CMK configurations:

aws configservice record-configuration-changes --configuration-recorder-name <recorder-name> --include-configuration-item-types "AWS::KMS::Key"

Backout Plan:

Using AWS Console:

  1. If monitoring CMK changes causes excessive logging or performance issues:

    • Go to the CloudTrail Console.

    • Adjust the event capture settings to limit the scope of the events being logged, such as excluding certain non-critical KMS operations.

  2. Modify AWS Config settings to exclude CMKs from the recorded configurations, or reduce the number of resources being tracked.

Using AWS CLI:

  1. If excessive logging or performance issues occur:

    • Temporarily stop the configuration recorder:

aws configservice stop-configuration-recorder --configuration-recorder-name <recorder-name>

  1. To modify the scope of tracked resources:

    • Update the configuration recorder settings to limit tracking of KMS key configurations:

aws configservice put-configuration-recorder --configuration-recorder-name <recorder-name> --recording-group <new-recording-group>

  1. Re-enable monitoring once issues are resolved:

aws configservice start-configuration-recorder --configuration-recorder-name <recorder-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services