Auditing KMS AWS owned key

Question

Hello folks!

I am trying to audit an AWS owned key using Cloudtrail, the intention is to eventually create a metric filter in Cloudwatch that will generate an alert in case of unwanted usage of that key to perform crypto operations. I read in the AWS documentation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) that AWS owned keys cannot be audited: "You do not need to create or manage the AWS owned keys. However, you cannot view, use, track, or audit them". However in my default Cloudtrail for management events, I can see Decrypt events that use that AWS managed key based on the arn of the key itself. I am wondering if anybody here has ever tried to track usage of an AWS owned key and/or trying to achieve the same goal I am describing in this post?

Thanks!

Accepted Answer

Hi Nicco, most AWS services offer the choice of an AWS managed CMK, or an AWS owned CMK.

As explained in the docs, the AWS managed CMK is visible in the customer's account. Customers can view the CMK and its key state, and use GetKeyPolicy to view (but not change) the key policy. They can also track use of the AWS managed CMK by AWS services in CloudTrail logs. The key policy uses a kms:ViaService condition key that allows the key to be used only by the service on the customer's behalf; not by the customer directly. Also, customers are charged a per-use rate for AWS managed CMKs, although some services eat that cost.

These features are not available on an AWS owned CMK (In your account, it is displayed as aws/servicename, eg. aws/ebs), which is not in customer's account. However, despite the decreased visibility, the key is easy to use. The service creates, maintains, and uses the CMK on the customer's behalf.

Answer

There is a difference between "AWS Owned" and "AWS Managed" keys. What you are seeing in the logs is the "AWS Managed" keys.

Auditing KMS AWS owned key

相關內容