- CNS Policies
- AWS Knowledge Base
- AWS Key Management Service (KMS)
-
AWS Knowledge Base
- Amazon EKS
- Amazon RDS
- Amazon Kinesis
- AWS Organizations
- Amazon SQS (Simple Queue Service)
- AWS Cloudtrail
- AWS Certificate Manager
- AWS IAM
- AWS Workspaces
- Amazon S3
- AWS Systems Manager (AWS SSM)
- Amazon EC2
- Amazon Redshift
- Amazon EMR
- Amazon CloudFront
- Amazon DynamoDB
- Amazon Managed Workflows for Apache Airflow (MWAA)
- Amazon Route 53
- AWS Key Management Service (KMS)
- Amazon CloudWatch
- Amazon ElasticSearch
- AWS Database Migration Service
- AWS Config
- AWS X-Ray
- Amazon API Gateway
- Amazon Athena
- Amazon SageMaker
- AWS Elastic Load Balancing (ELB)
- AWS Lambda
- AWS Auto Scaling
- Amazon GuardDuty
- Amazon Elastic File System (Amazon EFS)
- Amazon Elastic Container Registry (Amazon ECR)
- AWS Glue
- Amazon Simple Notification Service (SNS)
- AWS Elastic Beanstalk
- AWS CodeBuild
- AWS Secrets Manager
- AWS Transfer Family
- Amazon Access Analyzer
-
Azure Knowledge Base
- Container Registries
- Azure Virtual Machines
- Network Security Group
- PostgreSQL
- Azure Monitor
- Azure Security Center
- SQL Databases
- SQL Servers
- Storage Accounts
- Azure Key Vaults
- Load Balancers
- App Services
- Azure Active Directory
- Activity Log
- Azure Policy
- Kubernetes Services
- Azure Resources
- Azure Cosmos DB
- CDN Profiles
- MySQL Servers
- Azure Virtual Network
- Azure Network Watcher
- Azure Cache for Redis
-
GCP Knowledge Base
- Google Cloud VPC
- Google Cloud IAM
- Google Cloud Load Balancing
- Google Cloud Logging
- Google Cloud Kubernetes Engine
- Google Cloud Pub/Sub
- Google Compute Engine
- Google Cloud Key Management Service (KMS)
- Google Cloud DNS
- Google Cloud Storage
- Google Cloud Dataproc
- Google Cloud SQL
- Google Cloud Spanner
- Google Cloud Deployment Manager
- Google Cloud BigQuery
- Google Cloud Dataflow
-
DigitalOcean Knowledge Base
AWS Unused KMS Key
Risk Level: Low
Description
This plugin checks for any disabled KMS Customer Master Keys in your AWS account. Disabled KMS keys will add unnecessary charges to your AWS account without performing any encryption for the services.
About the Service
AWS Key Management Service (KMS): AWS KMS is a storehouse of cryptographic keys that can be easily utilized by your AWS resources and applications. Encryption with KMS keys ensures that your resources and applications are secured with centralized management. Logs can also be generated to audit key usage across various services. All the keys are properly secured by AWS KMS.
Impact
Unnecessary KMS keys can add to Bill for your account. It is advisable to remove such keys to avoid charges. Disabled keys do not perform any encryption.
Steps to Reproduce
Using AWS Console-
- Log In to your AWS Console.
- Open the AWS KMS Console. You can use this link (https://console.aws.amazon.com/kms/) to navigate directly if already logged in.
- From the left navigation pane, click on Customer-managed keys.
- A list of CMK keys in the region will be displayed.
- Check the Status column. If it is set to “Disabled”, the vulnerability exists.
- Repeat steps for all the keys you wish to examine.
Steps for Remediation
Delete unused AWS KMS Keys.
- Log In to your AWS Console.
- Open the AWS KMS Console. You can use this link (https://console.aws.amazon.com/kms/) to navigate directly if already logged in.
- From the left navigation pane, click on Customer-managed keys.
- A list of CMK keys in the region will be displayed. Select the vulnerable key by clicking on it’s Key ID.
- From the Actions menu, select “Schedule Key Deletion”. Specify the number of days after which you want the key to be deleted.
- Repeat steps for all the vulnerable keys.