KMS Key Policies Should Be Designed To Limit Number Of KMS Admins

More Info:

KMS key policies should be designed to limit the number of users who can perform encrypt and decrypt operations. Each application should use its own key to avoid over exposure.

Risk Level

Low

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate this issue for AWS, you can follow these steps using AWS CLI:

Identify the KMS key ID that needs to be remediated.
Create a new IAM policy that grants the required permissions for KMS key management.
Attach the new IAM policy to an IAM user or role that needs to manage the KMS key.
Remove the KMS key administrator permissions from the existing IAM users or roles.

Here are the detailed steps:Step 1: Identify the KMS key ID that needs to be remediatedUse the following command to list all the KMS keys in your AWS account:

aws kms list-keys

Identify the KMS key ID that needs to be remediated.Step 2: Create a new IAM policy that grants the required permissions for KMS key managementCreate a new IAM policy that grants the required permissions for KMS key management. Here’s an example of a policy that allows a user to manage a specific KMS key:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowKeyManagement",
            "Effect": "Allow",
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
    ]
}

Replace the KMS key ARN with the ARN of the KMS key that needs to be managed.Step 3: Attach the new IAM policy to an IAM user or role that needs to manage the KMS keyUse the following command to attach the new IAM policy to an IAM user or role:

aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn>

Replace <user-name> with the name of the IAM user or role that needs to manage the KMS key, and <policy-arn> with the ARN of the new IAM policy.Step 4: Remove the KMS key administrator permissions from the existing IAM users or rolesUse the following command to remove the KMS key administrator permissions from the existing IAM users or roles:

aws kms revoke-grant --key-id <key-id> --grant-id <grant-id>

Replace <key-id> with the ID of the KMS key, and <grant-id> with the ID of the grant that needs to be revoked.Repeat this command for each grant that needs to be revoked.By following these steps, you can remediate the misconfiguration of KMS key policies that should be designed to limit the number of KMS admins for AWS.

Using Python

To remediate this misconfiguration in AWS using Python, you can follow these steps:

First, you need to identify the KMS keys that have overly permissive key policies. You can use the boto3 library in Python to list all the KMS keys and their key policies.

import boto3

# Create a KMS client
kms = boto3.client('kms')

# List all the KMS keys
response = kms.list_keys()

# Loop through each key and print its key policy
for key in response['Keys']:
    key_id = key['KeyId']
    key_policy = kms.get_key_policy(KeyId=key_id, PolicyName='default')['Policy']
    print(f"Key ID: {key_id} \nKey Policy: {key_policy}")

Once you have identified the KMS keys with overly permissive key policies, you need to update their policies to limit the number of KMS admins. You can use the put_key_policy method to update the key policy.

import json

# Define the new key policy
new_policy = {
    "Version": "2012-10-17",
    "Id": "key-policy-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:user/Admin1",
                    "arn:aws:iam::123456789012:user/Admin2"
                ]
            },
            "Action": [
                "kms:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

# Update the key policy for a specific KMS key
response = kms.put_key_policy(
    KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
    PolicyName='default',
    Policy=json.dumps(new_policy)
)

In the above code, you need to replace the KeyId with the ID of the KMS key that you want to update, and replace the AWS ARNs with the ARNs of the IAM users who should have KMS admin permissions.

Repeat step 2 for all the KMS keys with overly permissive key policies.

By following these steps, you can remediate the misconfiguration of KMS key policies being designed to limit the number of KMS admins in AWS using Python.

Additional Reading:

https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

KMS Key Policies Should Be Designed To Limit Number Of KMS Admins

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: