By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Auditing KMS AWS owned key

0

Hello folks!

I am trying to audit an AWS owned key using Cloudtrail, the intention is to eventually create a metric filter in Cloudwatch that will generate an alert in case of unwanted usage of that key to perform crypto operations. I read in the AWS documentation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) that AWS owned keys cannot be audited: "You do not need to create or manage the AWS owned keys. However, you cannot view, use, track, or audit them". However in my default Cloudtrail for management events, I can see Decrypt events that use that AWS managed key based on the arn of the key itself. I am wondering if anybody here has ever tried to track usage of an AWS owned key and/or trying to achieve the same goal I am describing in this post?

Thanks!

  • JaccoPK
    2 years ago

    Seems entirely plausible that auditing is possible.

    I inspected Cloudwatch and it does not report having any metrics available to display.

    Maybe you would need to make a EventBridge rule attached to a lambda that logs them to CloudWatch

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Key Management ServiceSecurity, Identity, & ComplianceAWS CloudTrail
Language
English
niccogiulianelli
asked 2 years ago557 views
2 Answers
1
Accepted Answer

Hi Nicco, most AWS services offer the choice of an AWS managed CMK, or an AWS owned CMK.

As explained in the docs, the AWS managed CMK is visible in the customer's account. Customers can view the CMK and its key state, and use GetKeyPolicy to view (but not change) the key policy. They can also track use of the AWS managed CMK by AWS services in CloudTrail logs. The key policy uses a kms:ViaService condition key that allows the key to be used only by the service on the customer's behalf; not by the customer directly. Also, customers are charged a per-use rate for AWS managed CMKs, although some services eat that cost.

These features are not available on an AWS owned CMK (In your account, it is displayed as aws/servicename, eg. aws/ebs), which is not in customer's account. However, despite the decreased visibility, the key is easy to use. The service creates, maintains, and uses the CMK on the customer's behalf.

AWS
Naj_AWS
answered 2 years ago
1

There is a difference between "AWS Owned" and "AWS Managed" keys. What you are seeing in the logs is the "AWS Managed" keys.

profile pictureAWS
EXPERT
kentrad
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content