AWS Key Management Service (KMS)
  1. CNS Policies
  2. AWS Knowledge Base
  3. AWS Key Management Service (KMS)

App-Tier KMS Customer Master Key (CMK) Missing

Risk Level: Low

Description

This plugin ensures that there is one Amazon KMS Customer Master Key (CMK) present in the account for App-Tier resources. Amazon KMS should have Customer Master Key (CMK) ensures protection of data in-transit. It is recommended that there must be at least one KMS key for app-tier resources.

Configuration Parameters

KMS CMK Tag Key: This parameter specifies the App-tier Tag key of your account. A vulnerability is returned if no CMK KMS keys are found corresponding to this tag key. Make sure this key exists in your account.

By default, the value is set to an empty string, therefore it will not generate any issue for KMS keys. 

About the Service

AWS Key Management Service (KMS): AWS KMS is a storehouse of cryptographic keys that can be easily utilized by your AWS resources and applications. Encryption with KMS keys ensures that your resources and applications are secured with centralized management. Logs can also be generated to audit key usage across various services. All the keys are properly secured by AWS KMS.

Impact

KMS keys ensure that resources of AWS services are encrypted. Without proper encryption, data will be visible to the attacker if compromised. It is recommended that there must be at least one KMS key for app-tier resources to secure data in-transit.

 

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the AWS KMS Console. You can use this link (https://console.aws.amazon.com/kms/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Customer-managed keys.
  4. A list of CMK keys in the region will be displayed. 
  5. In the Filter search bar, type the name of the Tag Key. If empty list is returned, the vulnerability exists.
  6. Repeat steps for all the keys you wish to examine.

Steps for Remediation

Create a Customer Master Key (CMK) with App-Tier tag.

  1. Log In to your AWS Console.
  2. Open the AWS KMS Console. You can use this link (https://console.aws.amazon.com/kms/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Customer-managed keys.
  4. Click on Create Key.
  5. Follow the steps as per your requirement. In the “Step 2”, add the required tag key to the CMK key by clicking on Add Tag.
  6. Proceed to create the key.
  7. Repeat steps for all the vulnerable tags.