Automating Public Access Detection for AWS KMS Keys with IAM Access Analyzer API

Learn About Amazon VGT2 Learning Manager Chanci Turner

In this article, we will explore how to utilize the AWS IAM Access Analyzer API to automate the identification of public access to AWS Key Management Service (KMS) keys. This guide will walk you through the process of programmatically engaging with the Access Analyzer API, setting up an analyzer in your AWS account, and executing specific API functions from your code.

The Access Analyzer is a powerful tool that enables you to pinpoint resources within your AWS organization and accounts that may be accessible to external entities. This includes various resources like Amazon Simple Storage Service (Amazon S3) buckets, AWS Identity and Access Management (IAM) roles, AWS KMS keys, AWS Lambda functions, and Amazon Simple Queue Service (Amazon SQS) queues. By leveraging formal reasoning, Access Analyzer evaluates resource-based policies across your AWS environment to flag any resources shared with external principals.

You can activate Access Analyzer through the IAM console and explore findings in an interactive mode. Findings can then be resolved through corrective actions and archived accordingly. Furthermore, Access Analyzer integrates seamlessly with AWS Security Hub, which compiles security findings from numerous AWS services and AWS Partner Network (APN) products including ticketing and incident management systems.

Once enabled for a specific Region, Access Analyzer autonomously detects public access. It’s integrated with Amazon EventBridge, which triggers automatic scans for public access when changes occur to supported resources, such as modifications to an Amazon S3 bucket policy or the issuance of a grant on an AWS KMS key. Findings are published in the Access Analyzer dashboard and each finding generates an EventBridge event, which you can process programmatically via an EventBridge rule.

In certain scenarios, you may wish to interact with Access Analyzer through the API. This might be necessary if you’re integrating a third-party security monitoring system with your account or if you want to create a custom user interface for managing Access Analyzer findings. You may also wish to implement tailored logic or workflows for resource scanning or responding to public access findings.

To demonstrate these capabilities, this article will provide an example focusing on detecting publicly accessible AWS KMS keys using the Access Analyzer API, specifically via the Python boto3 SDK. The code and design patterns presented can be adapted for your own specific needs.

Solution Overview – Serverless Workflow

In this section, we present a serverless solution architecture leveraging fully managed AWS services like Amazon Simple Notification Service (Amazon SNS), AWS Lambda, Amazon EventBridge, and AWS CloudTrail. By employing serverless deployment patterns, you only need to deploy your code, while AWS manages the infrastructure’s operation and durability.

As depicted in the architecture diagram, the workflow consists of several steps:

1. Supported Resources: Access Analyzer is compatible with six AWS resource types: S3 buckets, IAM roles, AWS KMS keys, Lambda functions, Amazon SQS queues, and AWS Secrets Manager secrets. This post focuses on AWS KMS keys, where Access Analyzer assesses key policies and grants associated with customer master keys (CMKs) to identify any that permit external access.
2. AWS KMS API Calls via CloudTrail: EventBridge events are integrated with CloudTrail, which records actions performed by users, roles, or AWS services. We will focus on specific AWS KMS API calls that alter access to KMS keys, namely PutKeyPolicy and CreateGrant.
3. Capture AWS KMS API Calls in an EventBridge Rule: An EventBridge rule is established to monitor the specified AWS KMS API operations. This rule triggers whenever PutKeyPolicy or CreateGrant is invoked by any principal, whether internal or external.
4. Invoke an AWS Lambda Function: The EventBridge rule activates an AWS Lambda function that accesses the Access Analyzer API to either retrieve an existing analyzer or create a new one and initiates a resource scan for AWS::KMS::Key.
5. Publish Scan Findings to an EventBridge Bus: If the scan yields findings of external access to AWS KMS keys, the Lambda function publishes these findings to an EventBridge event bus. You can create event-driven workflows using EventBridge, such as sending notifications via Amazon SNS or integrating with AWS Security Hub for response and remediation actions.
6. Perform Optional Corrective Actions: An additional EventBridge rule can invoke a Lambda function that implements specific corrective actions, such as blocking access to affected AWS KMS keys or revoking key grants.

For a ready-to-use solution, the complete code is available in a GitHub repository as an AWS Serverless Application Model (AWS SAM) application. You can deploy the application using AWS SAM CLI. For deploying the solution using AWS CLI, instructions are available in the README.md of the repository.

This article will continue with a step-by-step implementation of using the Access Analyzer API to scan AWS KMS key policies and grants for unintended public access. The following examples will be developed using Python 3.8, maintaining a professional tone throughout.

As a reminder, if you’re looking for additional resources on economic development, this is another blog post that might interest you: Iowa Economic Development Authority. Additionally, for authoritative job descriptions, you can refer to SHRM. For those interested in opportunities at Amazon, check out this excellent resource: Area Manager Position for a fulfilling career.