Summary

Teri Radichel is detailing the process of creating and sharing a KMS key across a non-production environment within an AWS Organization, specifically for encrypting Amazon Machine Images (AMIs), while addressing potential misconceptions in AWS documentation and demonstrating how to modify existing KMS key policies to include permissions for Organizational Units (OUs).

Abstract

In a continuation of her series on automating cybersecurity metrics, Teri Radichel focuses on extending the use of a KMS key to a non-production environment in AWS. She begins by referencing her previous work on configuring resources for a specific project in a new AWS account and the deployment of AWS accounts using CloudFormation. Radichel then explains the need for a KMS key to encrypt AMIs and references her past articles on encryption and AWS KMS, as well as the process of re-encrypting an EC2 instance with a Customer Master Key (CMK). She outlines her approach to deploying the key by assuming an AWS Organizations role in the KMS account and plans to eventually create specific roles for KMS administration. The author provides a visual representation of her non-prod environment and discusses granting key access to the OU, hoping that this will allow access to all subordinate OUs. Radichel points out a discrepancy in AWS documentation regarding sharing AMIs with organizations or OUs and opts for a policy that specifically grants access to the non-prod OU. She walks through modifying her common KMS template to include OUs in the key policy, making ARNs and OUs optional parameters, and ensuring that the policy conditions only apply if the parameters are provided. The article concludes with Radichel finalizing the key installation and policy update, with promises to test and provide updates in future posts.

Opinions

Radichel emphasizes the importance of understanding AWS KMS and encryption for AMIs, which serve as templates for operating systems in AWS VMs.
She notes that AWS documentation can be misleading and provides guidance on selecting the correct policy for granting access to a KMS key for an organization or specific OUs.
Radichel values the flexibility of her KMS key template, which she has enhanced over time to accommodate various use cases, including the addition of OUs.
She acknowledges the potential for future improvements in roles and permissions, indicating a commitment to evolving her security practices.
Radichel encourages readers to follow her work for updates and further insights into cybersecurity and AWS best practices.

Creating a KMS Key Shared With an Organization OU Using a Generic Key Policy

ACM.423 Modifying our existing policy that deploys every KMS key in our account to support deploying a key for an Organizational Unit

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Encryption

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I shared how I created and configured resources in a new AWS account used for a specific project.

Configuring a New Project Account: One job, many templates

ACM.422 Creating a standalone account and resources to work on a segregated project in an AWS Organization

medium.com

In this post, I am going to add the option to share a KMS key across a non-production environment. I’m going to create this key in the AWS account I created specifically for KMS keys in this post named nonprod-keys.

Deploying AWS Accounts In Parallel Using CloudFormation

ACM.419 Deploying an organizational structure in a new AWS account using a container that requires MFA for deployment…

medium.com

Specifically, I am going to create a key for encrypting Amazon Machine Images (AMIs) shared to the environment. If you’re not familiar with encrypted AMIs, they are the base template configuration for your operating system when you start a VM on AWS. I wrote a bit about encrypting AMIs in the following post. You can start with this post and work backwards as needed:

Re-encrypting an EC2 Instance With Your Own CMK

ACM.215 changing default encryption to CMK encryption on EBS Volumes

medium.com

I’m going to start with the only KMS key template currently used for every KMS key I deploy. I’ve modified it over a series of posts to handle all my use cases:

Encryption, TLS, and AWS KMS

Stories about encryption, TLS, and AWS KMS by Teri Radichel

medium.com

In order to deploy the key, I’m going to assume the AWS Organizations role in the KMS account using the function I created in this post:

Assuming the AWS Organizations Role In a Job that Creates a New AWS Account

ACM.418 Leveraging a container that requires MFA to deploy resources to assume the organizations role after creating a…

medium.com

Later I may create a KMS administrator and KMS role for these things but for now I’m just getting started with this approach.

I need to add a KMS key that has permissions for the nonprod environment to access the key. As you may recall my nonprod environment looks like this:

So I’m hoping that granting access to the nonprod OU alone allows all OUs below it to access the key.

The process for granting access to an OU to use a key is described here:

Share an AMI with specific organizations or organizational units

Share your AMI with specific organizations or organizational units.

docs.aws.amazon.com

Though the documentation is a bit misleading.

Another AWS Documentation Misleading Policy

Granting access to a KMS key for an organization or specific OUs

medium.com

We want to use the second policy and grant access specifically to the non-prod OU. The policy from the documentation looks like this:

I have a common KMS template so I want to add the option to pass in a list of OUs, just like I pass in the list of ARNs for encrypt or decrypt permissions.

First of all I’m going to call a function that then calls the function to deploy a KMS key:

I need to add that function to my kms_functions file. I want it to work like this:

I need to adjust the generic KMS key template to handle the new parameters and allow empty parameters for ARNs.

I add my parameters and make sure encrypt and decrypt ARNs and OUs are all optional by providing a default value of an empty string:

I check for the existence of those values in my Conditions:

Recall that I optionally add a statement for services if services were passed in the parameters:

I can add that if logic for the above for values to optionally add statements for the encrypt and decrypt ARNs if provided:

And add the new statements for OUs. I’m going to use the same statements as those I tested for ARNs but adjust them to match the principal and condition of the example policy in the AWS documentation to allow and limit actions to specific OUs. I will use the condition to optionally add the statements if OUs are provided.

Encryption:

* I ended up renaming the OrganizationIdParam

Decryption:

That’s it. Install the key and check to see that it was created with the updated policy in your KMS account.

I’ll test it out in the next few posts.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab