KMS Keys Should Not Allow Unknown Cross Account Access

More Info:

All your AWS Key Management Service keys should be configured to be accessed only by trusted AWS accounts in order to protect against unauthorized cross account access. This will help prevent data breaches and loss.

Risk Level

High

Address

Security

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “KMS Keys Should Not Allow Unknown Cross Account Access” in AWS using AWS CLI, follow the below steps:

Identify the KMS keys that allow unknown cross-account access:

aws kms list-keys --query "Keys[?KeyManager != 'AWS' && KeyState == 'Enabled']" --output text | awk '{print $1}' | while read key_id; do aws kms get-key-policy --key-id $key_id --policy-name default --query Policy --output text | grep -q "Effect\": \"Allow" && echo $key_id; done

Remove the unknown cross-account access from the KMS key policy:

aws kms list-keys --query "Keys[?KeyManager != 'AWS' && KeyState == 'Enabled']" --output text | awk '{print $1}' | while read key_id; do aws kms get-key-policy --key-id $key_id --policy-name default --query Policy --output text | sed '/Effect\": \"Allow\"/,/\"Principal\": {/d' > policy.json && aws kms put-key-policy --key-id $key_id --policy-name default --policy file://policy.json && rm policy.json; done

Verify that the unknown cross-account access has been removed:

aws kms list-keys --query "Keys[?KeyManager != 'AWS' && KeyState == 'Enabled']" --output text | awk '{print $1}' | while read key_id; do aws kms get-key-policy --key-id $key_id --policy-name default --query Policy --output text | grep -q "Effect\": \"Allow" && echo $key_id; done

If there is no output, then the remediation is successful.

Using Python

To remediate the misconfiguration “KMS Keys Should Not Allow Unknown Cross Account Access” for AWS using Python, you can follow these steps:

Identify the KMS keys that are allowing unknown cross-account access. You can do this by using the AWS CLI command aws kms list-keys to get a list of all the KMS keys and then using the aws kms describe-key command to get the key policy for each key.
Check the key policy to see if it allows unknown cross-account access. You can do this by looking for the "AWS" field in the Principal element of the policy. If the "AWS" field is set to "*" or does not include a specific account ID, then the key allows unknown cross-account access.
Modify the key policy to remove the unknown cross-account access. You can do this by using the aws kms put-key-policy command to update the key policy. You will need to specify the key ID, the policy name, and the new policy document that removes the "AWS" field or replaces it with a specific account ID.
Test the modified key policy to ensure that it no longer allows unknown cross-account access. You can do this by using the aws kms encrypt command to encrypt a test message using the modified key. If the encryption is successful, then the key policy has been remediated.

Here is an example Python script that can be used to remediate the misconfiguration:

import boto3
import json

# Initialize the KMS client
kms = boto3.client('kms')

# Get a list of all KMS keys
response = kms.list_keys()

# Loop through each key
for key in response['Keys']:
    # Get the key policy
    key_policy = kms.get_key_policy(KeyId=key['KeyId'], PolicyName='default')['Policy']

    # Parse the policy document
    policy_doc = json.loads(key_policy)

    # Check if the policy allows unknown cross-account access
    if 'AWS' in policy_doc['Statement'][0]['Principal'] and \
        ('*' in policy_doc['Statement'][0]['Principal']['AWS'] or \
        len(policy_doc['Statement'][0]['Principal']['AWS']) == 1):
        
        # Modify the policy to remove the unknown cross-account access
        policy_doc['Statement'][0]['Principal']['AWS'] = ['arn:aws:iam::123456789012:root']

        # Update the key policy
        response = kms.put_key_policy(KeyId=key['KeyId'], PolicyName='default', Policy=json.dumps(policy_doc))

        # Print the result
        print('Key policy updated for key ' + key['KeyId'])

Note: Replace the account ID 123456789012 with your own account ID.

Additional Reading:

https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

KMS Keys Should Not Allow Unknown Cross Account Access

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: