From 3ef993deecd76a3024d569ba04c2d9bda8f69079 Mon Sep 17 00:00:00 2001 From: KooZuKi <17777685+KooZuKi@users.noreply.github.com> Date: Fri, 5 Jun 2026 14:38:18 -0700 Subject: [PATCH] Add KMS effective access review gates --- skills/cloud/aws-review/SKILL.md | 102 +++++++++++++++++++++++++++++-- 1 file changed, 97 insertions(+), 5 deletions(-) diff --git a/skills/cloud/aws-review/SKILL.md b/skills/cloud/aws-review/SKILL.md index 85405148..01e8263e 100644 --- a/skills/cloud/aws-review/SKILL.md +++ b/skills/cloud/aws-review/SKILL.md @@ -5,15 +5,16 @@ description: > Foundations Benchmark v3.0.0. Auto-invoked when reviewing AWS infrastructure, IAM policies, S3 configurations, CloudTrail settings, VPC security groups, or RDS encryption. Walks through all five benchmark sections, evaluates each - recommendation, and produces a prioritized findings report with remediation - guidance mapped to specific CIS control IDs. + recommendation, checks KMS effective-access evidence for encryption claims, + and produces a prioritized findings report with remediation guidance mapped + to specific CIS control IDs. tags: [cloud, aws, cis-benchmark] role: [cloud-security-engineer, security-engineer] phase: [assess, operate] frameworks: [CIS-AWS-v3.0.0] difficulty: intermediate time_estimate: "60-90min" -version: "1.0.0" +version: "1.0.1" author: unitoneai license: MIT allowed-tools: Read, Grep, Glob @@ -27,7 +28,7 @@ argument-hint: "[target-file-or-directory]" This skill performs a structured security assessment of AWS environments against the **CIS Amazon Web Services Foundations Benchmark v3.0.0**. The benchmark is organized into five sections covering identity management, storage, logging, monitoring, and networking. Each recommendation is evaluated by inspecting infrastructure-as-code definitions (Terraform, CloudFormation, CDK), AWS CLI output, or configuration files available in the repository. -The CIS AWS Foundations Benchmark v3.0.0 contains 62 recommendations across five domains. This skill evaluates each applicable control against the codebase and produces a findings report with CIS recommendation IDs, severity ratings, and actionable remediation steps. +The CIS AWS Foundations Benchmark v3.0.0 contains 62 recommendations across five domains. This skill evaluates each applicable control against the codebase and produces a findings report with CIS recommendation IDs, severity ratings, and actionable remediation steps. When a review relies on KMS encryption for sensitive data protection, CIS coverage is not enough by itself; collect KMS effective-access evidence for key policies, IAM delegation, grants, service constraints, external key stores, multi-Region replicas, and operational monitoring. --- @@ -76,6 +77,9 @@ Use Glob to locate all AWS-related infrastructure definitions. **/terraform/**/*.tf **/iam-policies/**/*.json **/policies/**/*.json +**/kms/**/*.json +**/kms/**/*.yaml +**/kms/**/*.tf ``` Also locate supporting configuration: @@ -85,6 +89,8 @@ Also locate supporting configuration: **/.aws/credentials **/aws-config-rules/** **/security-hub/** +**/cloudtrail/** +**/cloudwatch/** ``` Record all discovered files. If no AWS configurations are found, report that finding and halt. @@ -99,7 +105,62 @@ For detailed CIS benchmark checklist items with specific Terraform patterns, gre --- -### Step 7: Compile Assessment Report +### Step 7: KMS Effective-Access Evidence Review + +Perform this step when the target uses KMS customer-managed keys, key policies, grants, external key stores, multi-Region keys, or encryption claims for S3, EBS, RDS, EFS, DynamoDB, CloudTrail, Secrets Manager, or application-level data protection. Do not score a KMS key as safe solely because encryption is enabled. + +**Evidence to locate:** + +``` +aws_kms_key +aws_kms_external_key +aws_kms_replica_key +aws_kms_replica_external_key +aws_kms_grant +aws_kms_alias +kms:CreateGrant +kms:ListGrants +kms:RevokeGrant +kms:RetireGrant +kms:Decrypt +kms:GenerateDataKey +kms:ViaService +kms:CallerAccount +kms:EncryptionContext +``` + +For each sensitive key or key family, record: + +- Key ARN, alias, owning account, region, and data classification. +- Effective key policy principals, administrative actions, cryptographic actions, and explicit denies. +- IAM identity policies that can use the key or delegate access through `kms:CreateGrant`. +- Grant definitions and live grant inventory, including grantee principal, retiring principal, operations, constraints, creation time, and revocation evidence. +- Service constraints such as `kms:ViaService`, `kms:CallerAccount`, `aws:SourceArn`, and `aws:SourceAccount`. +- Encryption context requirements for shared keys or multi-tenant application keys. +- CloudTrail monitoring for `CreateGrant`, `RetireGrant`, `RevokeGrant`, failed decrypts, unexpected principals, and cross-account use. +- XKS connectivity, proxy health, key material availability, break-glass path, rotation expectations, and incident fallback. +- Multi-Region primary and replica keys, replica policy drift, rotation state, deletion windows, and failover procedures. + +**Evaluation gates:** + +- For KMS key policies, do not treat `Resource: "*"` as inherently risky. Key policies commonly use `*` because the policy is attached to the key. Score the effective access path: principal scope, actions, conditions, IAM delegation, grants, and account boundaries. +- Treat `kms:CreateGrant` as delegation-sensitive. Require grant constraints, least-privilege operations, a retiring principal, CloudTrail monitoring, and stale-grant review. +- Check both key policy and IAM identity policies. A restrictive key policy can still allow broad usage when it delegates permission management to IAM or account root without compensating conditions. +- Require service constraints for service-linked or workload roles when the intended access path is through S3, EBS, RDS, CloudTrail, Secrets Manager, or another AWS service. +- Require encryption context constraints when a key is shared across applications, tenants, environments, or data classes. +- Mark KMS effective access **Not Evaluable** when only Terraform variables, wrapper-module inputs, or high-level encryption booleans are available and no expanded policy, grant, or CloudTrail evidence is present. +- For external key stores and multi-Region keys, evaluate availability and operational risk in addition to cryptographic access. Missing XKS health, break-glass, replica policy drift, or failover evidence can materially weaken the design. + +**Severity guidance:** + +- **Critical / High:** Broad decrypt or data-key access to sensitive data, unconstrained `kms:CreateGrant`, external-account key use without caller-account/source constraints, stale grants with decrypt permissions, or XKS outage/failover gaps for critical workloads. +- **Medium:** Missing grant lifecycle evidence, missing CloudTrail detection for grant and decrypt anomalies, broad service role access without `kms:ViaService`, incomplete encryption context constraints, or multi-Region replica policy drift. +- **Low:** Key policy is effectively constrained but documentation, inventory, or stale-grant review evidence is incomplete. +- **Informational:** KMS is not in scope and no sensitive encryption claim depends on customer-managed key access. + +--- + +### Step 8: Compile Assessment Report Produce the final report using the structure defined in the Output Format section. @@ -115,6 +176,10 @@ Produce the final report using the structure defined in the Output Format sectio | **Low** | Hardening recommendation or defense-in-depth measure | Missing Macie classification, no hardware MFA on root (when virtual MFA exists), missing access analyzer in non-primary regions | | **Informational** | Best practice observation, no direct security impact | Naming conventions, tag hygiene, documentation gaps | +### KMS Severity Addendum + +When KMS is in scope, severity is based on effective key access rather than encryption enablement alone. A key with `Resource: "*"` in its own key policy can still be properly constrained, while a key with apparently narrow policy text can be high risk if IAM delegation, grants, cross-account principals, or operational key-store controls are broad or unmonitored. + --- ## Output Format @@ -158,6 +223,23 @@ Produce the final report using the structure defined in the Output Format sectio - **Evidence:** - **Remediation:** +### KMS Effective-Access Evidence + +| Key / Alias | Account / Region | Principal Scope | Grant Scope | Service / Context Constraints | XKS / Replica Evidence | Status | +|-------------|------------------|-----------------|-------------|-------------------------------|------------------------|--------| +| | | | | | | Pass / Fail / Not Evaluable | + +#### [KMS] +- **Status:** Pass / Fail / Not Evaluable +- **Severity:** Critical / High / Medium / Low / Informational +- **Key:** +- **File:** +- **Line(s):** +- **Description:** +- **Evidence:** +- **Effective access:** +- **Remediation:** + ### Prioritized Remediation Plan 1. **[Critical]** CIS X.Y -- @@ -200,6 +282,10 @@ Produce the final report using the structure defined in the Output Format sectio 4. **Assuming default security groups are empty.** AWS default security groups allow all inbound traffic from the same security group and all outbound traffic. CIS 5.4 requires explicitly managing them to have zero rules. 5. **Overlooking IMDSv2 in launch templates.** CIS 5.6 applies to both `aws_instance` and `aws_launch_template` resources. Checking only direct instance definitions misses auto-scaled instances. 6. **Counting not-evaluable controls as passing.** If a control cannot be verified from the available IaC (e.g., contact details in CIS 1.1), mark it "Not Evaluable" rather than "Pass." +7. **Misreading KMS key-policy resources.** `Resource: "*"` in a key policy is common because the policy is attached to one key. Review principals, actions, conditions, grants, and IAM delegation before flagging it. +8. **Missing KMS grants.** `kms:CreateGrant` can delegate decrypt or data-key access outside the obvious IAM path. Check grant constraints, retiring principals, monitoring, and stale grant cleanup. +9. **Ignoring service and encryption-context constraints.** Workload access through AWS services should usually be constrained with `kms:ViaService`, caller/source account conditions, and encryption context where shared keys are used. +10. **Treating XKS and multi-Region keys as ordinary keys.** External key stores and replicas need health, failover, break-glass, policy-drift, and deletion-window evidence. --- @@ -225,10 +311,16 @@ Produce the final report using the structure defined in the Output Format sectio - AWS CloudTrail Documentation: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/ - AWS Security Hub: https://docs.aws.amazon.com/securityhub/latest/userguide/ - AWS VPC Security: https://docs.aws.amazon.com/vpc/latest/userguide/security.html +- AWS KMS Key Policies: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html +- AWS KMS Grants: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html +- AWS KMS Condition Keys: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html +- AWS KMS External Key Stores: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html +- AWS KMS Multi-Region Keys: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html - Terraform AWS Provider Documentation: https://registry.terraform.io/providers/hashicorp/aws/latest/docs --- ## Changelog +- **1.0.1** -- Added KMS effective-access evidence gates for key policies, IAM delegation, grants, service and encryption-context constraints, CloudTrail monitoring, external key stores, and multi-Region replica drift. - **1.0.0** -- Initial release. Full coverage of CIS Amazon Web Services Foundations Benchmark v3.0.0 sections 1 through 5 (62 recommendations).