Introduction

As cloud security attacks and ransomware on the rise, we're focusing more on data perimeters and data security. Part of a robust data security strategy includes encryption and in cloud, encryption offerings from cloud providers such as AWS Key Management Service (KMS).

Understanding usage and relationships of KMS encryption keys and the potential blast radius helps with overall encryption management, building proper data perimeters and improving cloud data security. This can be complex to do in AWS, as it may require examining KMS Key permissions such as policies and grants, sifting through CloudTrail logs, or even many different API calls across each AWS service.

That's why we built Finders Keypers to help determine current usage of KMS Keys.

GitHub Repository: https://github.com/FogSecurity/finders-keypers

Use cases include:

• Determining blast radius of specific KMS keys and potentially impacted resources such as data in S3, databases such as RDS and DynamoDB, and more.
• Determining encryption access control and which principals potentially have access to data and resources.
• Understanding impact of key lifecycle management including key rotation and lifecycle management such as updates or key retirement or deletion.
• Audit and compliance use cases to understand potential key usage and access.
• Checking default settings in AWS for new resource creation and encryption settings.

Finders Keypers: An Introduction

Finders Keypers (Keepers) is a new tool build to analyze current usage of AWS KMS Keys. To determine complete usage and blast radius of AWS KMS Keys is complex with over 110 AWS services supporting integration with AWS KMS.

AWS Guidance on Determining Usage of KMS Keys

As of November, 2024, AWS provides guidance for determining usage of KMS Keys. The 2 methods they provide are to:

• Examine KMS Key permissions to determine the scope of potential usage.
• Examine AWS CloudTrail logs to determine actual usage.

Finders Keypers focuses on a 3rd method:

• Analyzing each service and the service resources to determine active usage of KMS keys for encryption.

We believe that evaluating KMS Key permissions and checking for AWS CloudTrail logs may not show a complete representation of current KMS usage for the following reasons:

• CloudTrail keeps logs for the last 90 days. For resources that have not been created or updated in the last 90 days, CloudTrail may not have a history of encryption history.
• CloudTrail also requires AWS API calls to be made and tracks management calls and not necessarily data calls. That is another reason why CloudTrail may not have a complete representation of KMS Key usage.
• KMS Key Permissions may only show usage by IAM Principals due to key policies being a resource-based policy.  Additionally, this may not show usage by KMS Key Grants.
• While KMS Key Grants may show more information, total KMS Key permissions from both KMS Key policies and key grants show principals, but not resources - which is an indirect relationship from KMS Key - IAM Principal - Resource encrypted by KMS Key.

With these limitations, analyzing each service and the service resources to determine active usage of KMS keys for encryption helps with a more complete representation of current KMS usage. This brings us to Finders Keypers, built to help analyze current usage of AWS KMS Keys.

Finders Keypers

GitHub Repository: https://github.com/FogSecurity/finders-keypers

This tool currently covers 28 different resource types over 21 AWS Services.  We prioritized high-usage services and resources such as AWS Compute, AWS Database offerings, Analytics services, storage, and secrets and configuration services.

Each service and resource may use different API calls and different IAM Permissions.

For example:

• RDS Database Instances

Requires access to call DescribeDBInstances (associated IAM Permission: rds:DescribeDBInstances)

• DynamoDB Tables

Requires access to call DescribeTable (associated IAM Permission: dynamodb:DescribeTable)

• Secrets Manager

Requires access to either call DescribeSecret or ListSecrets (associated IAM Permission: secretsmanager:DescribeSecret or

secretsmanager:ListSecrets)

• AWS Glue Data Catalog

Requires access to call GetDataCatalogEncryptionSettings (associated IAM permission: glue:GetDataCatalogEncryptionSettings)

‍

Running and Usage Examples

To use Finders Keypers, we recommend the following prerequisites and steps:

• Find an IAM Principal with permissions to describe and read metadata about resources in AWS.
• Set up local profile or environment with credentials from that IAM Principal.
• If not already installed, install Python.
• Install Finders Keypers and required libraries (such as AWS's boto3).
• Run Finders Keypers.

In the first example, we will run finderskeypers.py in standard mode. This mode will output the resource ARNs or IDs encrypted with the key specified. Some resources do not have ARNs and will output descriptions instead.

python3 finders-keypers.py --keyarn arn:aws:kms:us-east-1:123412341234:key/aaaaaaaa-aaaa-1111-aaaa-aaaa1111aaaa                   

Total Number of Resources encrypted with KMS Key Provided: 5
example-bucket-finderskeypers
vol-12341234123412345
vol-43214321432154321
arn:aws:dynamodb:us-east-1:123412341234:table/my-first-dynamodb-table
arn:aws:ssm:us-east-1:123412341234:parameter/sample-parameter

‍

In the next example, we will run finderskeypers.py in verbose mode.  This will output more information including the service, the resource, and encryption context.

python3 finders-keypers.py --keyarn arn:aws:kms:us-east-1:123412341234:key/aaaaaaaa-aaaa-1111-aaaa-aaaa1111aaaa --verbose                       

Total Number of Resources encrypted with KMS Key Provided: 6
{'Service': 'Glue', 'Resource': 'Data Catalog', 'ARN': 'ARN', 'Context': 'Connection Password Encryption'}
{'Service': 'DynamoDB', 'Resource': 'DynamoDB Table', 'ARN': 'arn:aws:dynamodb:us-east-1:123412341234:table/sample-table-dynamodb-own-encryption', 'Context': 'Encryption at Rest'}
{'Service': 'DocumentDB', 'Resource': 'DocumentDB Cluster', 'ARN': 'arn:aws:rds:us-east-1:123412341234:cluster:docdb-2024-05-13-15-22-33', 'Context': 'Encryption at Rest'}
{'Service': 'S3', 'Resource': 'S3 Bucket', 'ARN': 'sample-bucket-encryption', 'Context': 'Encryption at Rest'}
{'Service': 'EC2', 'Resource': 'EBS Volume', 'ARN': 'vol-12345123451234567', 'Context': 'Encryption at Rest'}
{'Service': 'Secrets Manager', 'Resource': 'Secret', 'ARN': 'arn:aws:secretsmanager:us-east-1:123412341234:secret:test-reference-secret', 'Context': 'Encryption at Rest'}

‍

Previous Research on Cloud Encryption and Data Perimeters

• Updating Encryption and Preventing Ransomware
• Complexity of Data Access
• AWS Managed Keys and Security Implications
• Default Encryption of AWS Resources

Conclusion

With Finders Keypers, determining current usage of KMS encryption keys for AWS resources has become easier and more complete. If you have feedback or want to talk more encryption management or data perimeters, reach out to us at info@fogsecurity.io. We're open to feedback and enhancements you'd like to see with encryption tooling or data perimeter tooling.