Performing Audit On Your AWS KMS Cryptographic Keys
In this article, we are going to learn how to work with AWS monitoring services to control and understand the usage, state, and availability of your customer master keys (CMKs) in AWS KMS.
Monitoring is an important aspect to consider in your design to ensure the reliability, maintainability, and performance of your AWS solutions.
Please refer to the AWS whitepaper AWS Key Management Service Best Practices for more details and guidelines.
In the context of AWS KMS, you can monitor the following:
- All key-related activity, for example, any actions on the key using AWS KMS API, such as
EnableKey,CreateKey,ImportKeyMaterial, etc. - All key usage-related activity, for example, calls to
EncryptorDecryptAWS KMS API - AWS KMS and CMK-related events and metrics, such as key expiration, key rotation, or time remaining until imported key material expiration
- Changes in key policy may lead to the key exposure to any AWS principal outside your zone of trust (your account or your organization).
To audit your AWS KMS keys, you can do the following:
- Check the key policies attached to your keys. Make sure that the policies have the appropriate permissions and that they are being applied to the correct users and resources. Key policies should only grant the minimum permissions necessary to perform the required tasks. This helps to reduce the risk of unauthorized access or misuse of your keys.
The below screenshot shows a sample default key policy applied to KMS:
2. Monitor the key usage. Use CloudTrail logs or the AWS Management Console to track how your keys are being used and by whom. This can help you identify any unauthorized access or usage of your keys.
To monitor and audit the usage of your keys in AWS KMS. AWS KMS is integrated with CloudTrail. CloudTrail captures all KMS API calls made on keys in your AWS account. You can use CloudTrail logs to determine which API was called, who called it and when, what the IP address of the caller was, etc.
To see how CloudTrail captures the AWS KMS API calls, you can use your created KMS CMK to generate a data key:
Go to the AWS Console and navigate to the CloudTrail service. In the CloudTrail console go to the Event history — here you have the full history of all CloudTrail-captured events on your account. Filter events on Event Name = GenerateDataKey.
You will see the GenerateDataKey operations that you performed. Depending on other resources and settings in your AWS account, you will see GenerateDataKey calls from other AWS services:
3. Rotate your keys regularly. Regularly rotating your keys helps to ensure that any potential compromise of a key can be quickly detected and mitigated. This ensures that your keys are automatically rotated on a regular basis, helping to further reduce the risk of unauthorized access.
4. Monitor the key’s event history. The event history for a key provides a record of all the actions performed on the key, including key creation, deletion, and usage. This can help you identify any unusual or suspicious activity.
7. Enable CloudTrail logging for your AWS account. This will allow you to track API calls made to KMS and other AWS services, which can help you identify any unauthorized access to your keys.
To understand more about the key usage, you can open a specific cloudtrail event &see a lot of further details of the operation. For example, you can see who made the call, from what account, from what application, and much more:
8. You can implement Notifications based on AWS CloudTrail events coming from AWS KMS.
To know more:
9. Use AWS IAM Access Analyzer To Audit Principles Access
AWS KMS key policies are used to give permissions to KMS keys to other AWS principals (IAM users, roles, or services) in your AWS account, or between AWS accounts. While it is necessary to give specific permissions to certain AWS principals, you should keep access to your KMS keys based on the least privilege and need-to-have principle.
AWS IAM Access Analyzer is an AWS service that helps you identify the resources in your organization and accounts that are shared with an external entity. The resources supported by Access Analyzer include AWS KMS keys. Access Analyzer identifies AWS KMS keys that are shared with external principles outside your zone of trust by using the formal reasoning initiative to analyze the key policies in your AWS account.
If you find any issues with the keys or their usage, take appropriate action to resolve the issue. This may include updating the key policy, enabling key rotation, or disabling or deleting the key.
By following these steps, you can help ensure the security of your KMS keys and protect your data.
If you like the article, Please clap it and share it. ;)
