Skip to main content

Insecure encryption algorithm - Default encryption

Description

Some Amazon services support Key Management Service (KMS). As a good practice, it is recommended to use Customer Controlled Keys (CMK) instead of the default keys, in order to take full advantage of the KMS service.

Impact

  • Obtain sensitive information in plain text
  • Lose the malleability and control offered by a Customer Managed Key

Recommendation

Enable the encryption using KMS Customer Controlled Keys (CMK)

Threat

Authenticated attacker from the Internet with access to the service

Expected Remediation Time

⌚ 20 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 3.1
    • Temporal: 2.8
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The resource has safe configuration of KMS Key for encryption

Resources:
MySecret:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: MySecretForAppA
Description: "This secret"
GenerateSecretString:
SecretStringTemplate: '{"username": "test-user"}'
GenerateStringKey: "password"
PasswordLength: 30
ExcludeCharacters: '"@/\'
KmsKeyId: keyId

Non compliant code

The resource has unsafe KMS configuration

Resources:
MySecret:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: MySecretForAppA
Description: "This secret"
GenerateSecretString:
SecretStringTemplate: '{"username": "test-user"}'
GenerateStringKey: "password"
PasswordLength: 30
ExcludeCharacters: '"@/\'

The resource uses insecure encryption methods with default keys

resource "aws_dynamodb_table" "basic-dynamodb-table" {
server_side_encryption {
enabled = true
kms_key_arn = default
}
}

Using the AWS CLI, the following two commands check the EBS volumes are using KMS CMK customer-managed keys instead of AWS managed-keys

$ aws ec2 describe-volumes
--volume-ids vol-f7f65326
$ aws kms list-aliases
--region us-east-1

The first comand should return the KMS key ARN (Amazon Resource Name) ID. The ARN ID is returned as the value for the KmsKeyId parameter. The second command output should return all the KMS keys metadata. If the alias for the matched ID between the two command outputs is “alias/aws/ebs”, the key used for encryption is a default key / AWS-managed key.

Requirements