AWS Key Management Service (KMS) Master Keys Publicly Exposed

Description:

AWS Key Management Service (KMS) enables centralized control over cryptographic keys, allowing you to create and manage keys used to encrypt and decrypt data. Exposing KMS master keys to the public can lead to unauthorized access to the encrypted data, potential data breaches, and misuse of sensitive data. Ensuring that KMS master keys are not publicly accessible is crucial for maintaining the security and integrity of encrypted data.


Remediation:

1. Restrict Public Access to KMS Master Keys:

AWS Management Console:
  • Navigate to the KMS service in the AWS Console.
  • In the KMS dashboard's left navigation pane, click on Customer managed keys.
  • Click on the Key ID or Alias of the key you want to check.
  • Under the Key policy section, review the key's policy. Ensure that there are no statements allowing access to "Principal": "*" without any conditions restricting the access.
  • If such a statement is found, modify the policy to restrict access to specific IAM entities or remove the overly permissive statement.
AWS CLI:

To list the KMS keys:

aws kms list-keys

For each key, to get its policy:

aws kms get-key-policy --key-id YOUR_KEY_ID --policy-name default

Review the returned policy and ensure there's no unrestricted access. If modifications are required, use the put-key-policy command to update the policy.

Terraform:

If you're using Terraform to manage your AWS KMS keys:

resource "aws_kms_key" "example" {
  # ... other KMS configurations ...

  policy = jsonencode({
    # ... your KMS policy ...
    # Ensure there's no statement with "Effect": "Allow" and "Principal": "*"
    # without specific conditions.
  })
}

Review and modify the key policy to ensure it does not grant public access.


Recommendation:

Always ensure that your AWS KMS master keys have restrictive policies in place to prevent public or unintended access. Regularly review and audit the policies associated with your KMS keys. Consider using AWS CloudTrail logs to monitor and alert on changes to KMS key policies. Implementing least privilege principles by only granting necessary permissions to specific entities and using conditions can further enhance the security of your KMS master keys. As an additional layer of protection, enable CloudWatch alarms or other monitoring tools to detect and notify of unauthorized or suspicious activities related to your KMS keys.