Protecting and Securing AWS Accounts with KMS keys
Allowing anonymous access to your AWS KMS keys is considered bad practice and can lead to sensitive data leakage. One common scenario is when an AWS user grants permissions to everyone for using the KMS key but forgets to add the Condition clauses to the key policy in order to filter the access to certain accounts.
Using AWS CLI
- Run the list-aliases command (OSX/Linux/UNIX) to list the identifiers (i.e. IDs) of all AWS KMS master keys currently available in the selected region:
aws kms list-aliases
--region us-east-1
--query 'Aliases[*].TargetKeyId'2. The command output should return the available KMS keys IDs:
[
"c84a8fab-6c42-4b33-ad64-a8e0b0ec0a15",
"4102e0f2-ec36-4f3c-806a-89f454193ba9"
]3. Run the get-key-policy command (OSX/Linux/UNIX) using the KMS key ID returned at the previous step to describe the access policy used by the selected key:
aws kms get-key-policy
--region us-east-1
--key-id c84a8fab-6c42-4b33-ad64-a8e0b0ec0a15
--policy-name default4. The command output should return the KMS master key access policy in JSON format:
{
"Version": "2012-10-19",
"Id": "KeyPolicy1568312727239560",
"Statement": [
{
"Sid": "StmtID1672333338115",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*"
}, ... {
"Sid": "StmtID17223737238244",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/redshift-manager"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}
]
}
If the “Principal” element value is set to { “AWS”: “*” } and the policy statement is not using any Condition clauses to filter the access, as shown in the example above, the selected AWS KMS master key is publicly accessible.
5. Repeat step no. 3 and 4 to determine if other KMS master keys available in the current region are opened to public access.
6. Change the AWS region by updating the — region command parameter value and repeating step no. 1–5 to perform the audit process for other regions.
Remediation
To block anonymous access to your Amazon KMS master keys, perform the following:
Using AWS CLI
- First, define the necessary access policy for your AWS KMS key and save it in a JSON file named kms-account-based-access-policy.json. You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your custom access policies. The following example describes a policy document that grants access to an AWS account identified by the ID number 456139253105 to perform any actions on the selected KMS master key:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-10",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Condition': {
"StringEquals": {
"kms:CallerAccount": "456139253105"
}
},
"Resource": "*"
}, ... {
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/redshift-manager"
},
"Action": [
"kms:CreateGrant*",
"kms:ListGrants*",
"kms:RevokeGrant*"
],
"Resource": "*"
}
]
}
2. Run the put-key-policy command (OSX/Linux/UNIX) using the ID of the KMS master key that you want to reconfigure (see Audit section part II to identify the right KMS key) to replace the existing access policy with the one defined at the previous step, i.e. kms-account-based-access-policy.json, (the command does not return an output):
aws kms put-key-policy
--region us-east-1
--key-id c84a8fab-6c42-4b33-ad64-a8e0b0ec0a15
--policy-name default
--policy file://kms-account-based-access-policy.json3. Repeat steps no. 1 and 2 to update the access policy for other AWS KMS keys available in the current region in order to block public access.
4. Change the AWS region by updating the — region command parameter value and repeating step no. 1–3 to perform the entire process for other regions.
References
- AWS Documentation:
- Overview of Managing Access to Your AWS KMS Resources
- Using Key Policies in AWS KMS
- AWS Policy Generator
👋 Join us today !!
️Follow us on LinkedIn, Twitter, Facebook, and Instagram
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇
