Add KMS effective-access evidence gates to aws-review

skills/cloud/aws-review/SKILL.md

@@ -5,15 +5,16 @@ description: >
   Foundations Benchmark v3.0.0. Auto-invoked when reviewing AWS infrastructure,
   IAM policies, S3 configurations, CloudTrail settings, VPC security groups, or
   RDS encryption. Walks through all five benchmark sections, evaluates each
-  recommendation, and produces a prioritized findings report with remediation
-  guidance mapped to specific CIS control IDs.
+  recommendation, checks KMS effective-access evidence for encryption claims,
+  and produces a prioritized findings report with remediation guidance mapped
+  to specific CIS control IDs.
 tags: [cloud, aws, cis-benchmark]
 role: [cloud-security-engineer, security-engineer]
 phase: [assess, operate]
 frameworks: [CIS-AWS-v3.0.0]
 difficulty: intermediate
 time_estimate: "60-90min"
-version: "1.0.0"
+version: "1.0.1"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -27,7 +28,7 @@ argument-hint: "[target-file-or-directory]"
 
 This skill performs a structured security assessment of AWS environments against the **CIS Amazon Web Services Foundations Benchmark v3.0.0**. The benchmark is organized into five sections covering identity management, storage, logging, monitoring, and networking. Each recommendation is evaluated by inspecting infrastructure-as-code definitions (Terraform, CloudFormation, CDK), AWS CLI output, or configuration files available in the repository.
 
-The CIS AWS Foundations Benchmark v3.0.0 contains 62 recommendations across five domains. This skill evaluates each applicable control against the codebase and produces a findings report with CIS recommendation IDs, severity ratings, and actionable remediation steps.
+The CIS AWS Foundations Benchmark v3.0.0 contains 62 recommendations across five domains. This skill evaluates each applicable control against the codebase and produces a findings report with CIS recommendation IDs, severity ratings, and actionable remediation steps. When a review relies on KMS encryption for sensitive data protection, CIS coverage is not enough by itself; collect KMS effective-access evidence for key policies, IAM delegation, grants, service constraints, external key stores, multi-Region replicas, and operational monitoring.
 
 ---
 
@@ -76,6 +77,9 @@ Use Glob to locate all AWS-related infrastructure definitions.
 **/terraform/**/*.tf
 **/iam-policies/**/*.json
 **/policies/**/*.json
+**/kms/**/*.json
+**/kms/**/*.yaml
+**/kms/**/*.tf
 ```
 
 Also locate supporting configuration:
@@ -85,6 +89,8 @@ Also locate supporting configuration:
 **/.aws/credentials
 **/aws-config-rules/**
 **/security-hub/**
+**/cloudtrail/**
+**/cloudwatch/**
 ```
 
 Record all discovered files. If no AWS configurations are found, report that finding and halt.
@@ -99,7 +105,62 @@ For detailed CIS benchmark checklist items with specific Terraform patterns, gre
 
 ---
 
-### Step 7: Compile Assessment Report
+### Step 7: KMS Effective-Access Evidence Review
+
+Perform this step when the target uses KMS customer-managed keys, key policies, grants, external key stores, multi-Region keys, or encryption claims for S3, EBS, RDS, EFS, DynamoDB, CloudTrail, Secrets Manager, or application-level data protection. Do not score a KMS key as safe solely because encryption is enabled.
+
+**Evidence to locate:**
+
+```
+aws_kms_key
+aws_kms_external_key
+aws_kms_replica_key
+aws_kms_replica_external_key
+aws_kms_grant
+aws_kms_alias
+kms:CreateGrant
+kms:ListGrants
+kms:RevokeGrant
+kms:RetireGrant
+kms:Decrypt
+kms:GenerateDataKey
+kms:ViaService
+kms:CallerAccount
+kms:EncryptionContext
+```
+
+For each sensitive key or key family, record:
+
+- Key ARN, alias, owning account, region, and data classification.
+- Effective key policy principals, administrative actions, cryptographic actions, and explicit denies.
+- IAM identity policies that can use the key or delegate access through `kms:CreateGrant`.
+- Grant definitions and live grant inventory, including grantee principal, retiring principal, operations, constraints, creation time, and revocation evidence.
+- Service constraints such as `kms:ViaService`, `kms:CallerAccount`, `aws:SourceArn`, and `aws:SourceAccount`.
+- Encryption context requirements for shared keys or multi-tenant application keys.
+- CloudTrail monitoring for `CreateGrant`, `RetireGrant`, `RevokeGrant`, failed decrypts, unexpected principals, and cross-account use.
+- XKS connectivity, proxy health, key material availability, break-glass path, rotation expectations, and incident fallback.
+- Multi-Region primary and replica keys, replica policy drift, rotation state, deletion windows, and failover procedures.
+
+**Evaluation gates:**
+
+- For KMS key policies, do not treat `Resource: "*"` as inherently risky. Key policies commonly use `*` because the policy is attached to the key. Score the effective access path: principal scope, actions, conditions, IAM delegation, grants, and account boundaries.
+- Treat `kms:CreateGrant` as delegation-sensitive. Require grant constraints, least-privilege operations, a retiring principal, CloudTrail monitoring, and stale-grant review.
+- Check both key policy and IAM identity policies. A restrictive key policy can still allow broad usage when it delegates permission management to IAM or account root without compensating conditions.
+- Require service constraints for service-linked or workload roles when the intended access path is through S3, EBS, RDS, CloudTrail, Secrets Manager, or another AWS service.
+- Require encryption context constraints when a key is shared across applications, tenants, environments, or data classes.
+- Mark KMS effective access **Not Evaluable** when only Terraform variables, wrapper-module inputs, or high-level encryption booleans are available and no expanded policy, grant, or CloudTrail evidence is present.
+- For external key stores and multi-Region keys, evaluate availability and operational risk in addition to cryptographic access. Missing XKS health, break-glass, replica policy drift, or failover evidence can materially weaken the design.
+
+**Severity guidance:**
+
+- **Critical / High:** Broad decrypt or data-key access to sensitive data, unconstrained `kms:CreateGrant`, external-account key use without caller-account/source constraints, stale grants with decrypt permissions, or XKS outage/failover gaps for critical workloads.
+- **Medium:** Missing grant lifecycle evidence, missing CloudTrail detection for grant and decrypt anomalies, broad service role access without `kms:ViaService`, incomplete encryption context constraints, or multi-Region replica policy drift.
+- **Low:** Key policy is effectively constrained but documentation, inventory, or stale-grant review evidence is incomplete.
+- **Informational:** KMS is not in scope and no sensitive encryption claim depends on customer-managed key access.
+
+---
+
+### Step 8: Compile Assessment Report
 
 Produce the final report using the structure defined in the Output Format section.
 
@@ -115,6 +176,10 @@ Produce the final report using the structure defined in the Output Format sectio
 | **Low** | Hardening recommendation or defense-in-depth measure | Missing Macie classification, no hardware MFA on root (when virtual MFA exists), missing access analyzer in non-primary regions |
 | **Informational** | Best practice observation, no direct security impact | Naming conventions, tag hygiene, documentation gaps |
 
+### KMS Severity Addendum
+
+When KMS is in scope, severity is based on effective key access rather than encryption enablement alone. A key with `Resource: "*"` in its own key policy can still be properly constrained, while a key with apparently narrow policy text can be high risk if IAM delegation, grants, cross-account principals, or operational key-store controls are broad or unmonitored.
+
 ---
 
 ## Output Format
@@ -158,6 +223,23 @@ Produce the final report using the structure defined in the Output Format sectio
 - **Evidence:** <specific configuration or code snippet>
 - **Remediation:** <specific fix with code example>
 
+### KMS Effective-Access Evidence
+
+| Key / Alias | Account / Region | Principal Scope | Grant Scope | Service / Context Constraints | XKS / Replica Evidence | Status |
+|-------------|------------------|-----------------|-------------|-------------------------------|------------------------|--------|
+| <key-id-or-alias> | <account/region> | <summary> | <summary> | <summary> | <summary> | Pass / Fail / Not Evaluable |
+
+#### [KMS] <Finding Title>
+- **Status:** Pass / Fail / Not Evaluable
+- **Severity:** Critical / High / Medium / Low / Informational
+- **Key:** <key ARN, alias, account, and region>
+- **File:** <path to relevant policy, IaC, export, or monitoring rule>
+- **Line(s):** <line numbers if applicable>
+- **Description:** <what was found>
+- **Evidence:** <policy, IAM, grant, CloudTrail, XKS, or replica details>
+- **Effective access:** <principals, grant path, service constraints, encryption context, and cross-account scope>
+- **Remediation:** <specific policy, grant, monitoring, XKS, or replica-drift fix>
+
 ### Prioritized Remediation Plan
 
 1. **[Critical]** CIS X.Y -- <action item>
@@ -200,6 +282,10 @@ Produce the final report using the structure defined in the Output Format sectio
 4. **Assuming default security groups are empty.** AWS default security groups allow all inbound traffic from the same security group and all outbound traffic. CIS 5.4 requires explicitly managing them to have zero rules.
 5. **Overlooking IMDSv2 in launch templates.** CIS 5.6 applies to both `aws_instance` and `aws_launch_template` resources. Checking only direct instance definitions misses auto-scaled instances.
 6. **Counting not-evaluable controls as passing.** If a control cannot be verified from the available IaC (e.g., contact details in CIS 1.1), mark it "Not Evaluable" rather than "Pass."
+7. **Misreading KMS key-policy resources.** `Resource: "*"` in a key policy is common because the policy is attached to one key. Review principals, actions, conditions, grants, and IAM delegation before flagging it.
+8. **Missing KMS grants.** `kms:CreateGrant` can delegate decrypt or data-key access outside the obvious IAM path. Check grant constraints, retiring principals, monitoring, and stale grant cleanup.
+9. **Ignoring service and encryption-context constraints.** Workload access through AWS services should usually be constrained with `kms:ViaService`, caller/source account conditions, and encryption context where shared keys are used.
+10. **Treating XKS and multi-Region keys as ordinary keys.** External key stores and replicas need health, failover, break-glass, policy-drift, and deletion-window evidence.
 
 ---
 
@@ -225,10 +311,16 @@ Produce the final report using the structure defined in the Output Format sectio
 - AWS CloudTrail Documentation: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/
 - AWS Security Hub: https://docs.aws.amazon.com/securityhub/latest/userguide/
 - AWS VPC Security: https://docs.aws.amazon.com/vpc/latest/userguide/security.html
+- AWS KMS Key Policies: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+- AWS KMS Grants: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
+- AWS KMS Condition Keys: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html
+- AWS KMS External Key Stores: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
+- AWS KMS Multi-Region Keys: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
 - Terraform AWS Provider Documentation: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
 
 ---
 
 ## Changelog
 
+- **1.0.1** -- Added KMS effective-access evidence gates for key policies, IAM delegation, grants, service and encryption-context constraints, CloudTrail monitoring, external key stores, and multi-Region replica drift.
 - **1.0.0** -- Initial release. Full coverage of CIS Amazon Web Services Foundations Benchmark v3.0.0 sections 1 through 5 (62 recommendations).