This is the accompanying blog post to our GitHub release: AWS Managed KMS Key Tracker. If you have feedback or questions, direct them to [email protected], we'd love to hear from you.
While researching AWS KMS Keys and their security and access implications, we found it difficult to correlate all services that support AWS Managed KMS Keys. Visibility of usage of AWS Managed KMS Keys and their corresponding key policies can be low and may have security and application implications. AWS Managed KMS Keys are keys managed by AWS but exist within your own AWS Account with corresponding key policies. These sometimes are the default key applied to resources.
To provide more visibility, we built a tool that scans and iterates through each AWS service and checks to see if there's an AWS Managed Key and uploads a listing and the corresponding key policies to GitHub. This tool will periodically scan and update the AWS Managed Key listing and the corresponding key policies.
In this post, we'll cover:
Interesting behavior of AWS Managed KMS Keys such as DescribeKey not always being a read operation and in certain cases, a create action for AWS Managed KMS Keys.
Lack of visibility with AWS Managed KMS Keys and Service Support such as in-use Managed KMS Keys not showing up via AWS's ListKeys API.
When to use and when not to use AWS Managed KMS Keys.
AWS Managed Key Reporting and Tooling Release that tracks AWS Managed KMS Keys and their associated Key Policies (IAM Resource-Based Policies).
Quick Statistics of AWS Managed KMS Keys (as of July 2024)
39 AWS Services with support for AWS Managed KMS Keys
Reference Key Policies for each AWS Service that supports AWS Managed KMS Keys.
Readme with listing of AWS Services that support AWS Managed KMS Keys.
Impact:
Implicit Access for Applications and other IAM Principals.
Access granted by the KMS Managed Key and the associated key policy may have security and architectural implications.
Application Architecture and Account and Region Boundaries.
Service guardrails and security guidelines for encryption may depend on availability and access granted by AWS Managed KMS Keys.
Interesting behavior and lack of visibility of AWS managed KMS keys
There's no central documentation on which AWS Services provide AWS Managed KMS Keys. There are service-specific pages, but no central place to review available encryption options and provided AWS Managed KMS Keys.
Not all AWS Managed KMS Keys appear in KMS (Console or via ListKeys API) even if they're in use by your resources. This can lead to impaired visibility of AWS Managed KMS Keys.
A KMS DescribeKey operation must be run for the AWS Managed key to appear.
AWS Managed Keys may differ by service with different conditions and policy blocks.
DescribeKey is typically non-mutating. But AWS services use DescribeKey to create AWS managed keys from a predefined AWS alias with no key ID.
There is no cost for creation and storage of AWS managed keys.
AWS completely manages properties of AWS managed keys, key rotation, their key policies, and their deletion schedule. Thus, you cannot manage them. The AWS service that creates them uses them on your behalf.
AWS Managed Keys may be difficult to use for cross-account operations. For example, from documentation for the S3 AWS Managed Key: 'If you want to grant cross-account access to your S3 objects, use a customer managed key.'
When to use and when not to use AWS managed KMS keys
Reasons to use AWS Managed KMS Keys:
AWS creates, manages, and uses AWS Managed KMS Keys on your behalf.
No need to create or maintain the key or the key policy.
Automatic rotation every year of all AWS managed keys.
No monthly fee for an AWS managed key.
Reasons not to use AWS Managed KMS Keys:
Cross-account architecture that requires direct IAM access to the encryption key.
Need to manage access via key policy.
Need for more specific management of KMS Key including rotation and more.
AWS Managed Key Reporting and Tooling Release
To provide more visibility, we built a tool that scans and iterates through each AWS service and checks to see if there's an AWS Managed Key and uploads a listing and the corresponding key policies to GitHub. This tool will periodically scan and update the AWS Managed Key listing and the corresponding key policies.