KMS Default Key Usage

Checks AWS services to ensure the default KMS key is not being used

It is recommended not to use the default key to avoid encrypting disparate sets of data with the same key. Each application should have its own customer-managed KMS key

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the AWS Management Console.

  2. Select the “Services” option and search for KMS. Step

  3. Scroll down the left navigation panel and choose “AWS managed keys” under “Key Management Service”.Step

  4. Select the “KMS key” that needs to be verified by clicking on the alias of the key under “Alias”.Step

  5. On the “AWS managed keys” page verify the “General configuration” and check the “Description” tab. If “Default master key”(for e.g. aws/ebs) is showing than the selected “Amazon KMS key” is a default master key.Step

  6. Naviagte to the “EC2 dashboard” and select the “Snapshots” under “ELASTIC BLOCK STORE”.Step

  7. Select the “Snapshot” that needs to be verified and check the “Description” tab from the bottom panel. Check the “KMS Key Aliases” and if the value is set to “aws/ebs then the selected EBS volume is using the default master key.Step

  8. Repeat steps number 2 - 7 to verify other “KMS Default keys Usage” in the selected region.

  9. Navigate to “KMS key” dashbaord and click on the “Create key” button at the top panel to create a new “KMS key”.Step

  10. On the “Add alias and description” page provide the “Alias” and “Description” for the new “KMS key” and click on the “Next” button. Step

  11. On the “Add tags” page provide a unique key for “Tag key”,“Tag value” and click on the “Next” button.Step

  12. On the “Define key administrative permissions” page select the “IAM users” and roles who can administer the new “KMS key” through the KMS API.Step

  13. Click on the “Next” button at the bottom to continue the new “KMS key” process.Step

  14. On the “Define key usage permissions” page select the IAM users and roles that can use the CMK to encrypt and decrypt data with the “AWS KMS API” and click on the “Next” button.

  15. On the “Review and edit key policy” page review the policy and click on the “Finish” button to create a new “KMS key” which can be used to encrypt/decrypt the data.Step

  16. Replace the “Default KMS key” with newly created “Customer managed key”.

  17. Repeat steps number 9 - 16 to avoid using the default KMS key.