AWS Key Management Service (KMS)
  1. CNS Policies
  2. AWS Knowledge Base
  3. AWS Key Management Service (KMS)

KMS Key Policy Globally Accessible

Risk Level: Medium

Description

This plugin ensures that all your AWS Key Management Service keys are configured to be accessed only by trusted AWS accounts. Key Policies define who can have access to the keys and therefore can encrypt data of AWS resources. It is recommended to not allow global access in order to protect against unauthorized cross-account access.

Configuration Parameters

KMS Key Policy Allowed Condition Keys: This parameter denotes all the AWS IAM condition keys that are allowed. An alert is generated if any keys apart from the allowed keys are granted global access.

By default, the keys allowed are ‘aws:PrincipalArn’,  'aws:PrincipalAccount', 'aws:PrincipalOrgID', 'aws:SourceAccount', 'aws:SourceArn', 'aws:SourceOwner',   'kms:CallerAccount', and 'kms:ViaService'. Therefore it will return a vulnerability if any of the key apart from the ones mentioned are globally accessible.

About the Service

AWS Key Management Service (KMS): AWS KMS is a storehouse of cryptographic keys that can be easily utilized by your AWS resources and applications. Encryption with KMS keys ensures that your resources and applications are secured with centralized management. Logs can also be generated to audit key usage across various services. All the keys are properly secured by AWS KMS.

Impact

Key Policies define who can have access to the keys and therefore can encrypt data of AWS resources. If the Policy Principal ARNs are whitelisted, any anonymous user can perform the actions specified in the policy. This can result in the attacker with unauthorized access decrypt and reading sensitive data.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the AWS KMS Console. You can use this link (https://console.aws.amazon.com/kms/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Customer-managed keys.
  4. A list of CMK keys in the region will be displayed. Select the key you want to examine by clicking on it’s Key ID.
  5. Move to the Key Policy tab.
  6. If the policy has statements with Effect value set to “Allow” and Principal value set to “*”, the vulnerability exists. Also, check for whitelisted Conditions.
  7. Repeat steps for all the keys you wish to examine  by changing to AWS managed-keys and other regions.

Steps for Remediation

Modify the KMS key policy to remove any wildcards and limit the number of users and roles that can perform encrypt and decrypt operations using the key.

  1. Log In to your AWS Console.
  2. Open the AWS KMS Console. You can use this link (https://console.aws.amazon.com/kms/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Customer-managed keys.
  4. A list of CMK keys in the region will be displayed. Select the vulnerable key by clicking on it’s Key ID.
  5. Move to the Key Policy tab.
  6. Edit the policy by changing the value of Principal. Replace the “*” with the account/resource ARN which should be allowed the actions specified.
  7. Repeat steps for all the vulnerable keys.