Event Information

  • The CreateGrant event in AWS Key Management Service (KMS) refers to the action of granting permissions to a principal (user, role, or AWS service) to use a KMS key.
  • This event is triggered when a new grant is created for a KMS key, allowing the specified principal to perform cryptographic operations using that key.
  • The CreateGrant event is important for auditing and monitoring purposes, as it helps track and manage access control to KMS keys within an AWS account.

Examples

  • Unauthorized access: If the CreateGrant operation in AWS Key Management Service (KMS) is not properly secured, it can potentially allow unauthorized users or entities to create grants and gain access to sensitive data or resources protected by KMS encryption keys. This can lead to data breaches and compromise the security of the system.
  • Privilege escalation: If the CreateGrant operation is not properly restricted, it can be abused by malicious actors to escalate their privileges within the system. They can create grants with higher permissions than they should have, allowing them to access or modify sensitive data or resources that they are not authorized to.
  • Key misuse: Improper usage of the CreateGrant operation can result in the creation of grants that are not aligned with the intended security policies and access controls. This can lead to the misuse of encryption keys, allowing unauthorized access or modification of data, and potentially violating compliance requirements or industry regulations.

Remediation

Using Console

  1. Enable AWS CloudTrail:
    • Go to the AWS Management Console and navigate to the CloudTrail service.
    • Click on “Trails” in the left-hand menu and then click on “Create trail”.
    • Provide a name for the trail, select the desired S3 bucket to store the logs, and enable log file encryption using AWS Key Management Service (KMS).
    • Configure the trail settings according to your requirements and click on “Create trail”.
  2. Enable AWS Config:
    • Go to the AWS Management Console and navigate to the AWS Config service.
    • Click on “Get started” if you haven’t enabled AWS Config before.
    • Select the desired AWS resources to be recorded and click on “Next”.
    • Choose the S3 bucket to store the configuration history and enable encryption using AWS KMS.
    • Configure the delivery frequency and click on “Next”.
    • Review the settings and click on “Confirm”.
  3. Enable AWS GuardDuty:
    • Go to the AWS Management Console and navigate to the GuardDuty service.
    • Click on “Get started” if you haven’t enabled GuardDuty before.
    • Choose the AWS regions to enable GuardDuty and click on “Next”.
    • Review the settings and click on “Enable GuardDuty”.
Note: These steps provide a high-level overview of enabling the mentioned services in AWS console. It is recommended to refer to the official AWS documentation for detailed instructions and best practices.

Using CLI

To remediate issues related to AWS Key Management Service (KMS) using AWS CLI, you can follow these steps:
  1. Rotate KMS keys:
    • Identify the KMS key(s) that need to be rotated.
    • Generate a new key using the create-key command: aws kms create-key.
    • Update the necessary resources to use the new key.
    • Schedule the deletion of the old key using the schedule-key-deletion command: aws kms schedule-key-deletion --key-id <old-key-id> --pending-window-in-days <number-of-days>.
    • Monitor the key rotation process and ensure that all resources are successfully using the new key.
  2. Enable KMS key rotation:
    • Identify the KMS key(s) that need to have rotation enabled.
    • Enable key rotation using the enable-key-rotation command: aws kms enable-key-rotation --key-id <key-id>.
    • Monitor the key rotation process and ensure that it is functioning as expected.
  3. Grant appropriate permissions to KMS keys:
    • Identify the KMS key(s) that require permission updates.
    • Use the create-key command to generate a new key if necessary: aws kms create-key.
    • Grant appropriate permissions to the key using the create-key-grant command: aws kms create-key-grant --key-id <key-id> --grantee-principal <grantee-principal> --operations <operations>.
    • Verify that the permissions have been successfully granted.
Please note that the commands provided are examples and may need to be modified based on your specific requirements and environment.

Using Python

To remediate the issues related to AWS KMS using Python, you can follow these steps:
  1. Enable AWS CloudTrail for KMS:
    • Use the boto3 library to create a new CloudTrail trail for KMS.
    • Set the appropriate parameters such as the S3 bucket to store the logs and the KMS key to encrypt the logs.
    • Enable logging for KMS API calls by specifying the kms.amazonaws.com as the resource type.
    • Here’s an example Python script:
    import boto3

def enable_kms_cloudtrail():
    client = boto3.client('cloudtrail')
    response = client.create_trail(
        Name='kms-cloudtrail',
        S3BucketName='your-s3-bucket',
        KmsKeyId='your-kms-key-id',
        IsMultiRegionTrail=True,
        IncludeGlobalServiceEvents=True,
        EnableLogFileValidation=True,
        IsOrganizationTrail=False,
        Tags=[
            {
                'Key': 'Name',
                'Value': 'kms-cloudtrail'
            },
        ]
    )
    client.start_logging(Name='kms-cloudtrail')

enable_kms_cloudtrail()
  2. Enable AWS Config for KMS:
    • Use the boto3 library to create a new AWS Config rule for KMS.
    • Specify the rule parameters such as the KMS key usage and key rotation settings.
    • Here’s an example Python script:
    import boto3

def enable_kms_config():
    client = boto3.client('config')
    response = client.put_config_rule(
        ConfigRule={
            'ConfigRuleName': 'kms-config-rule',
            'Description': 'KMS Config Rule',
            'Scope': {
                'ComplianceResourceTypes': [
                    'AWS::KMS::Key'
                ]
            },
            'Source': {
                'Owner': 'AWS',
                'SourceIdentifier': 'KMS_KEY_ROTATION_ENABLED'
            },
            'InputParameters': '{"kmsKeyRotationEnabled": "true"}',
            'ConfigRuleState': 'ACTIVE'
        }
    )

enable_kms_config()
  3. Enable AWS Security Hub for KMS:
    • Use the boto3 library to enable AWS Security Hub for KMS.
    • Specify the KMS key as a resource and enable the relevant security standards.
    • Here’s an example Python script:
    import boto3

def enable_kms_security_hub():
    client = boto3.client('securityhub')
    response = client.batch_enable_standards(
        StandardsSubscriptionRequests=[
            {
                'StandardsArn': 'arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0',
                'StandardsInput': '{"keyArn": "your-kms-key-arn"}'
            }
        ]
    )

enable_kms_security_hub()
Please note that you need to have the necessary IAM permissions to perform these actions. Make sure to replace the placeholders with your own values before executing the scripts.