Ensure only usable Customer Managed Keys are in the AWS KMS

CMKs are enabled by default. If you disable a CMK, or schedule it for deletion, it becomes unusable, and cannot be used to encrypt or decrypt data. It is recommended to remove all the KMS Customer Managed Keys (CMKs) that are not usable to ensure proper key management process and to lower your monthly AWS bill.

Risk Level: Low
Cloud Entity: AWS Key Management Service (KMS)
CloudGuard Rule ID: D9.AWS.OPE.06
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

KMS where isCustomerManaged=true should not have keyState='Disabled' or keyState='PendingDeletion'

REMEDIATION

From Portal
Use following steps to enable KMS CMKs which are disabled:

  1. Sign into the AWS console
  2. In the console, select the specific region
  3. Navigate to Key Management Service (KMS)
  4. Click 'Customer managed keys' (Left Panel)
  5. Select reported KMS Customer managed key
  6. Click 'Key actions' dropdown
  7. Click 'Enable'

Delete CMKs only when you are sure that you don't need to use them anymore. If you are not sure, consider disabling the CMK instead of deleting it. To enable KMS CMKs which are scheduled for deletion, perform the following:

  1. Sign into the AWS console
  2. In the console, select the specific region
  3. Navigate to Key Management Service (KMS)
  4. Click 'Customer managed keys' (Left Panel)
  5. Select reported KMS Customer managed key
  6. Click 'Key actions' dropdown
  7. Click 'Cancel key deletion'
  8. Click 'Enable'

From TF
Use following terraform code to enable a KMS key

resource "aws_kms_key" "example1" {
	key_id = "kms_key_id"
	+ is_enabled = true
}

From Command Line
Run following command to cancel the AWS KMS key deletion process (to recover the KMS key scheduled for deletion):

aws kms cancel-key-deletion --region AWS_region_name --key-id kms_key_id

Use following command to enable a KMS key:

aws kms enable-key --key-id kms_key_id

References

  1. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
  2. https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
  3. https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
  5. https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html
  6. https://docs.aws.amazon.com/cli/latest/reference/kms/cancel-key-deletion.html
  7. https://docs.aws.amazon.com/cli/latest/reference/kms/enable-key.html

AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses FIPS 140-2 validated hardware security modules to protect the security of your keys. AWS Key Management Service is integrated with most other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset