AWS X-Ray

XRay Encryption Disabled

Risk Level: Low

Description

This plugin ensures the desired level of encryption is enabled for XRay traces. AWS XRay supports both default encryption based on an AWS-managed KMS key as well as encryption using a customer-managed key. It is recommended to use at least CMKs to encrypt the traces but the settings can be modified on the SentinelOne CNS dashboard as per the requirements. 

Configuration Parameters

X-Ray Minimum Encryption Level: This parameter specifies the minimum required encryption type for XRay. An issue is created when the encryption setting does not match the desired encryption level.

The order of encryption from lowest to highest is as follows: 

  1. sse=Default Encryption
  2. awskms=AWS-managed KMS
  3. awscmk=Customer managed KMS
  4. externalcmk=Customer managed externally sourced KMS
  5. cloudhsm=Customer managed CloudHSM sourced KMS

The default value set is null, therefore it will return a vulnerability alert if there is no encryption set. Depending on the default value set, it will return a vulnerability alert if the XRay encryption is lower than default value.

About the Service

AWS X-Ray: As per the AWS documentation, AWS X-Ray helps developers analyze and debug production and distributed applications. If your application is facing any problems, with X-Ray the debugging is made a lot easier and the root cause of the issue can be detected with ease.

Impact

In the absence of proper encryption, the X-Ray traces containing sensitive and critical information about cloud infrastructure can be visible to the attacker in case of any compromise. Therefore, to avoid visible exposure of the data, it is necessary to encrypt the traces appropriately.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon XRay Console. You can use this link (https://console.aws.amazon.com/xray) to navigate directly if already logged in. 
  3. Scroll down and select Encryption under the Configuration section from the left pane.
  4. Copy the Key ARN and move to the KMS console.
  5. In the Customer-managed keys section, paste the key arn copied before. If no keys are found, the vulnerability exists.
  6. Repeat steps for all the regions you want to investigate.

Steps for Remediation

Update XRay encryption configuration to use encryption of the desired level.

  1. Log In to your AWS Console.
  2. Open the Amazon XRay Console. You can use this link (https://console.aws.amazon.com/xray) to navigate directly if already logged in. 
  3. Scroll down and select Encryption under the Configuration section from the left pane.
  4. Select “Use a customer master key” and enter a valid and existing KMS Arn for encryption.
  5. Click on Apply Changes.
  6. Repeat steps for all the vulnerable regions.