ZCSPM
Granting Access to KMS Keys on AWS
You can grant the ZCSPM data collector role access to your AWS Key Management Keys (KMS) keys to enable 4 security policies. ZCSPM can collect configuration metadata for these policies if you have not explicitly set up deny policies on the KMS customer manager key.
- See additional security policies covered with KMS keys accessClose
Security Policy Title Security Policy Category Ensure that there are no disabled Customer Master Keys (CMK) in your AWS account in order to follow AWS best practices AWS - Key Management Ensure Amazon KMS master keys are not exposed to everyone AWS - Key Management Ensure rotation for customer created CMKs is enabled AWS - Key Management Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion AWS - Key Management
To manually grant access to the ZCSPM data collector role:
- Log in to the AWS Console and navigate to the KMS Dashboard.
- In the left pan menu, click Customer managed keys.
- Select the key you want to update.
- In the Key Policy tab, click Edit.
- Add the following JSON text inside the Statement section of the key policy.
{
"Sid": "Allow Read Access to Key",
"Effect": "Allow",
"Principal": {
"AWS": "<IAM Role ARN for Onboarded AWS Account>"
},
"Action": [
"kms:DescribeKey",
"kms:ListResourceTags",
"kms:ListKeyPolicies",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus"
],
"Resource": "*"
}
If you have a lot of KMS keys and don't want to manually give access, you can run a python script instead:
- Log in to the AWS Console and navigate to the AWS CloudShell.
- Download the
updateKmsKeyAccessPolicy.pyscript using the following command:
wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/aws-additional-policies/updateKmsKeyAccessPolicy.py -O updateKmsKeyAccessPolicy.py
- Run the script using the following command:
python3 updateKmsKeyAccessPolicy.py --cspmRoleArn <IAM Role ARN for Onboarded AWS Account>