How to Manage X-Ray Data Encrypted With KMS Master Keys?
By default, Amazon X-Ray encrypts trace data using an AWS-managed key named “aws/Xray”. To gain full control over your AWS X-Ray encryption key management, you need to create your own KMS Customer Master Key (CMK). Amazon KMS service allows you to easily rotate, disable and audit the CMK encryption key used for your X-Ray traces.
- Sign in to AWS Management Console.
2. Navigate to the X-Ray dashboard at https://console.aws.amazon.com/xray/home.
3. In the left navigation panel, under Configuration, select Encryption to access the encryption configuration page available for the X-Ray service.
4. On the Encryption configuration page, check the existing configuration set for X-Ray traces. If the Use default encryption checkbox is selected instead of Use a customer master key checkbox, the Amazon X-Ray service encrypts trace data using an AWS managed key, created by default by Amazon Web Services within the selected region.
5. Change the AWS region from the navigation bar and repeat the audit process for other regions.
Using AWS CLI
- Run the get-encryption-config command (OSX/Linux/UNIX) using custom query filters to describe the ID of the KMS Customer Master Key (CMK) used for encryption (if applicable):
aws xray get-encryption-config
--region us-east-1
--query 'EncryptionConfig.KeyId'2. The command output should return the requested KMS key ID or null if there is no CMK used to encrypt X-Ray trace data in the selected AWS region:
nullIf the get-encryption-config command output returns null, as shown in the example above, Amazon X-Ray is not using a KMS Customer Master Key (CMK) to encrypt trace data within the selected region, instead, the service is using the default managed key for encryption.
3. Change the AWS region by updating the — region command parameter value and repeat steps 1 and 2 to perform the audit process for other regions.
Resolution
To configure AWS X-Ray to encrypt traces and related data at rest with your own AWS KMS Customer Master Key (CMK), perform the following:
Using AWS CLI
- Before you create your AWS KMS Customer Master Key (CMK), you must define a policy that enables the selected IAM users and/or roles to administer the new CMK and to encrypt/decrypt X-Ray trace data using the KMS API. Create a new policy document, name it xray-kms-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Version": "2012-10-17",
"Id": "aws-xray-cmk-policy",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Grant access to CMK manager",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/cc-xray-manager"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow the use of the CMK",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/cc-xray-admin"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/cc-xray-admin"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}2. Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. Xray-kms-cmk-policy.json) as the required command parameter to create the new KMS CMK:
aws kms create-key
--region us-east-1
--description 'AWS KMS CMK to encrypt X-Ray trace data'
--policy file://xray-kms-cmk-policy.json3. The command output should return the new KMS Customer Master Key metadata. Copy the CMK ARN (highlighted) as this identifier will be required later when you need to specify the key required for trace data encryption:
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
"Description": "AWS KMS CMK to encrypt X-Ray trace data",
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1517235833.150,
"Arn": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
"AWSAccountId": "123456789012"
}
}4. Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step as value for the “Arn” attribute, to attach an alias to the new CMK. The alias must start with the prefix “alias/” (the command does not produce an output):
aws kms create-alias
--region us-east-1
--alias-name alias/xray-trace-data-cmk
--target-key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc5. Run put-encryption-config command (OSX/Linux/UNIX) using the ARN of the Customer Master Key (CMK) created earlier as a command parameter, to update the encryption configuration for Amazon X-Ray service within the selected AWS region:
aws xray put-encryption-config
--region us-east-1
--type KMS
--key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc6. The command output should return the encryption configuration metadata for AWS X-Ray:
{
"EncryptionConfig": {
"Status": "UPDATING",
"KeyId": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
"Type": "KMS"
}
}07Change the AWS region by updating the — region command parameter value and repeat the entire remediation/resolution process for other regions.
References
- AWS Documentation
- What Is AWS X-Ray?
- Configuring Encryption Settings in the AWS X-Ray Console
- AWS Key Management Service Concepts
👋 Join us today !!
️Follow us on LinkedIn, Twitter, Facebook, and Instagram
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇
