As cloud security attacks and ransomware on the rise, we're focusing more on data perimeters and data security. Part of a robust data security strategy includes encryption and in cloud, encryption offerings from cloud providers such as AWS Key Management Service (KMS).
Understanding usage and relationships of KMS encryption keys and the potential blast radius helps with overall encryption management, building proper data perimeters and improving cloud data security. This can be complex to do in AWS, as it may require examining KMS Key permissions such as policies and grants, sifting through CloudTrail logs, or even many different API calls across each AWS service.
That's why we built Finders Keypers to help determine current usage of KMS Keys.
GitHub Repository: https://github.com/FogSecurity/finders-keypers
Use cases include:
Finders Keypers (Keepers) is a new tool build to analyze current usage of AWS KMS Keys. To determine complete usage and blast radius of AWS KMS Keys is complex with over 110 AWS services supporting integration with AWS KMS.
As of November, 2024, AWS provides guidance for determining usage of KMS Keys. The 2 methods they provide are to:
Finders Keypers focuses on a 3rd method:
We believe that evaluating KMS Key permissions and checking for AWS CloudTrail logs may not show a complete representation of current KMS usage for the following reasons:
With these limitations, analyzing each service and the service resources to determine active usage of KMS keys for encryption helps with a more complete representation of current KMS usage. This brings us to Finders Keypers, built to help analyze current usage of AWS KMS Keys.
GitHub Repository: https://github.com/FogSecurity/finders-keypers
This tool currently covers 28 different resource types over 21 AWS Services. We prioritized high-usage services and resources such as AWS Compute, AWS Database offerings, Analytics services, storage, and secrets and configuration services.
Each service and resource may use different API calls and different IAM Permissions.
For example:
Requires access to call DescribeDBInstances (associated IAM Permission: rds:DescribeDBInstances)
Requires access to call DescribeTable (associated IAM Permission: dynamodb:DescribeTable)
Requires access to either call DescribeSecret or ListSecrets (associated IAM Permission: secretsmanager:DescribeSecret or
secretsmanager:ListSecrets)
Requires access to call GetDataCatalogEncryptionSettings (associated IAM permission: glue:GetDataCatalogEncryptionSettings)
To use Finders Keypers, we recommend the following prerequisites and steps:
In the first example, we will run finderskeypers.py in standard mode. This mode will output the resource ARNs or IDs encrypted with the key specified. Some resources do not have ARNs and will output descriptions instead.
python3 finders-keypers.py --keyarn arn:aws:kms:us-east-1:123412341234:key/aaaaaaaa-aaaa-1111-aaaa-aaaa1111aaaa
Total Number of Resources encrypted with KMS Key Provided: 5
example-bucket-finderskeypers
vol-12341234123412345
vol-43214321432154321
arn:aws:dynamodb:us-east-1:123412341234:table/my-first-dynamodb-table
arn:aws:ssm:us-east-1:123412341234:parameter/sample-parameter
In the next example, we will run finderskeypers.py in verbose mode. This will output more information including the service, the resource, and encryption context.
python3 finders-keypers.py --keyarn arn:aws:kms:us-east-1:123412341234:key/aaaaaaaa-aaaa-1111-aaaa-aaaa1111aaaa --verbose
Total Number of Resources encrypted with KMS Key Provided: 6
{'Service': 'Glue', 'Resource': 'Data Catalog', 'ARN': 'ARN', 'Context': 'Connection Password Encryption'}
{'Service': 'DynamoDB', 'Resource': 'DynamoDB Table', 'ARN': 'arn:aws:dynamodb:us-east-1:123412341234:table/sample-table-dynamodb-own-encryption', 'Context': 'Encryption at Rest'}
{'Service': 'DocumentDB', 'Resource': 'DocumentDB Cluster', 'ARN': 'arn:aws:rds:us-east-1:123412341234:cluster:docdb-2024-05-13-15-22-33', 'Context': 'Encryption at Rest'}
{'Service': 'S3', 'Resource': 'S3 Bucket', 'ARN': 'sample-bucket-encryption', 'Context': 'Encryption at Rest'}
{'Service': 'EC2', 'Resource': 'EBS Volume', 'ARN': 'vol-12345123451234567', 'Context': 'Encryption at Rest'}
{'Service': 'Secrets Manager', 'Resource': 'Secret', 'ARN': 'arn:aws:secretsmanager:us-east-1:123412341234:secret:test-reference-secret', 'Context': 'Encryption at Rest'}
With Finders Keypers, determining current usage of KMS encryption keys for AWS resources has become easier and more complete. If you have feedback or want to talk more encryption management or data perimeters, reach out to us at info@fogsecurity.io. We're open to feedback and enhancements you'd like to see with encryption tooling or data perimeter tooling.