Product logo
DocsBlogPricing

@turbot/aws-kms

The aws-kms mod contains resource, control and policy definitions for AWS KMS service.

Resource Types

Resource types covered by this mod:

Permissions

Taking a look at permissions and associated grant levels for each permission for KMS:

PermissionGrant LevelHelp
kms:CancelKeyDeletionAdmin
kms:ConnectCustomKeyStoreAdmin
kms:CreateAliasAdmin
kms:CreateCustomKeyStoreAdmin
kms:CreateGrantAdminLimited to AWS resource grants only through an explicit deny on the Lockdown group to prevent cross-account grants.
kms:CreateKeyAdminCan be used to add policies to keys. Turbot detects and resets any non-default policies added during key creation.
kms:DecryptOperator
kms:DeleteAliasAdmin
kms:DeleteCustomKeyStoreAdmin
kms:DeleteImportedKeyMaterialAdmin
kms:DescribeCustomKeyStoresMetadata
kms:DescribeKeyMetadataProvides Metadata about the key only.
kms:DisableKeyAdmin
kms:DisableKeyRotationAdmin
kms:DisconnectCustomKeyStoreAdmin
kms:EnableKeyAdmin
kms:EnableKeyRotationAdmin
kms:EncryptOperator
kms:GenerateDataKeyOperator
kms:GenerateDataKeyPairOperator
kms:GenerateDataKeyPairWithoutPlaintextOperator
kms:GenerateDataKeyWithoutPlaintextOperator
kms:GenerateRandomOperator
kms:GetKeyPolicyMetadata
kms:GetKeyRotationStatusMetadata
kms:GetParametersForImportMetadataOnly a public key is returned; the import token is not returned.
kms:GetPublicKeyMetadata
kms:ImportKeyMaterialAdmin
kms:ListAliasesMetadata
kms:ListGrantsMetadata
kms:ListKeyPoliciesMetadata
kms:ListKeysMetadataProvides Metadata about the keys only.
kms:ListResourceTagsMetadata
kms:ListRetirableGrantsMetadata
kms:PutKeyPolicyAdminKey policies are reset by a guardrail after creation.
kms:ReEncryptOperator
kms:ReEncryptFromOperator
kms:ReEncryptToOperator
kms:ReplicateKeyOperator
kms:RetireGrantAdmin
kms:RevokeGrantAdmin
kms:ScheduleKeyDeletionAdmin
kms:SignOperator
kms:SynchronizeMultiRegionKeyOperator
kms:TagResourceOperator
kms:UntagResourceOperator
kms:UpdateAliasAdmin
kms:UpdateCustomKeyStoreAdmin
kms:UpdateKeyDescriptionAdmin
kms:UpdatePrimaryRegionAdmin
kms:VerifyOperator

Learn More About Guardrails

Version
5.16.1
Released On
Sep 07, 2023
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.16.1 (2023-09-07)

Bug fixes

  • A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.

5.16.0 (2023-05-31)

What's new?

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

5.15.2 (2022-09-28)

Bug fixes

  • The AWS > KMS > Key > Rotation control would incorrectly remain in an alarm state when key rotation was enforced on multi-region replica keys. This is fixed and the control will now move to a skipped state for such keys.

5.15.1 (2022-07-13)

Bug fixes

  • The lambda functions for certain controls/actions would re-run unnecessarily whenever the mod version was updated. This has now been fixed.

5.15.0 (2022-07-12)

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.

Action Types

Added

  • AWS > KMS > Key > Delete from AWS
  • AWS > KMS > Key > Set Tags
  • AWS > KMS > Key > Skip alarm for Active control
  • AWS > KMS > Key > Skip alarm for Active control [90 days]
  • AWS > KMS > Key > Skip alarm for Approved control
  • AWS > KMS > Key > Skip alarm for Approved control [90 days]
  • AWS > KMS > Key > Skip alarm for Tags control
  • AWS > KMS > Key > Skip alarm for Tags control [90 days]

5.14.0 (2022-04-25)

What's new?

  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

Bug fixes

  • Lambda functions for controls/actions would sometimes error out due to Turbot adding the user agent field incorrectly for repeated lambda runs. This is now fixed.

5.13.0 (2022-03-16)

What's new?

  • The AWS > KMS > Key > CMDB control would go into an error state if Turbot did not have permissions to describe a Key. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > KMS > Key > CMDB policy to Enforce: Enabled but ignore permission errors. Please note that for such cases, any Key control dependent on the CMDB data will be set to a skipped state if the attributes required to evaluate the control is not available in the CMDB.

Bug fixes

  • We've improved the process of deleting resources from Turbot if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Turbot's IAM role while deleting resources from Turbot. This will allow the CMDB controls to process resource deletions from Turbot more reliably than before.

5.12.0 (2022-01-19)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Policy Types

Added

  • AWS > KMS > Key > Approved > Custom

5.11.0 (2022-01-06)

What's new?

  • AWS/KMS/Admin AWS/KMS/Metadata AWS/KMS/Operator now include permissions for Custom Key Store and Data Key Pair.

5.10.0 (2021-07-28)

What's new?

  • The AWS > Turbot > Encryption > Terraform Version policy will now be set to 0.15.* by default for workspaces on TE v5.37.7 or higher. For workspaces on TE versions lower than 5.37.7, the policy will remain set to 0.11.* by default.

5.9.0 (2021-07-09)

What's new?

  • We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

Bug fixes

  • Keys deleted after their scheduled deletion period were not cleaned up automatically in Turbot. This is now fixed.

The AWS > KMS > Key > Rotation control will now be skipped for keys in PendingDeletion state.

5.8.1 (2021-05-13)

Bug fixes

  • We've updated the EventBridge rule for KMS to filter out a few real-time events like kms:CreateGrant and kms:RetireGrant to reduce unnecessary noise caused by the processing of such events in Turbot.

Policy Types

Renamed

  • AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > KMS to AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-kms

5.8.0 (2021-02-26)

What's new?

  • Users now can manage key policy statements via the AWS > KMS > Key > Policy Statements > Approved control. To get started, set the AWS > KMS > Key > Policy Statements > Approved policy and add OCL rules to the AWS > KMS > Key > Policy Statements > Approved > Rules policy to identify approved and rejected key policy statements.

Control Types

Added

  • AWS > KMS > Key > Policy Statements
  • AWS > KMS > Key > Policy Statements > Approved

Policy Types

Added

  • AWS > KMS > Key > Policy Statements
  • AWS > KMS > Key > Policy Statements > Approved
  • AWS > KMS > Key > Policy Statements > Approved > Rules

Action Types

Added

  • AWS > KMS > Key > Update Key Policy Statements

5.7.0 (2021-02-22)

What's new?

  • We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.6.1 (2020-12-21)

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Turbot Precheck feature (not to be confused with TSA PreCheck). With Turbot Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.
  • The AWS > KMS > Key > CMDB control would go into an error state showing UnsupportedOperationException for external symmetric AWS customer managed keys in Pending import state. This is now fixed.

5.6.0 (2020-12-10)

Bug fixes

  • The AWS > Turbot > Encryption stack control failed to create Turbot managed keys in gov cloud regions. This issue has now been fixed.

Policy Types

Added

  • AWS > KMS > Key > Approved > Customer Master Key Spec

5.5.1 (2020-10-12)

Bug fixes

  • The AWS > KMS > Key > Rotation control would go into an error state due to a mishandled code snippet. This is now fixed and the AWS > KMS > Key > Rotation control should work smoothly.

5.5.0 (2020-10-09)

What's new?

  • We've made improvements to how Active controls interact with CMDB policies and controls for more reliable active checks. Now, if a resource's CMDB policy is set to Skip, its Active control will move to invalid to prevent the Active control from making a decision based on outdated information. Also, Active controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.

5.4.0 (2020-09-04)

What's new?

  • We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.

Bug fixes

  • Policy field for key resources is now properly and consistently sorted.

Policy Types

Renamed

  • AWS > KMS > Regions [Default] to AWS > KMS > Regions

5.3.0 (2020-08-13)

Bug fixes

  • In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.

Policy Types

Added

  • AWS > Turbot > Encryption > Terraform Version

5.2.4 (2020-07-07)

Bug fixes

  • Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Turbot is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.

5.2.3 (2020-06-04)

Bug fixes

  • In 5.2.0, the key's KeyArn property was accidentally removed, which broke various Encryption at Rest controls in other AWS mods, as they relied on this property to check if the correct key was being used. This property has been added back and Encryption at Rest controls now work again with KMS keys.

5.2.2 (2020-05-29)

Policy Types

Renamed

  • AWS > KMS > Key > Configured > Precedence to AWS > KMS > Key > Configured > Claim Precedence

5.2.1 (2020-05-14)

Bug fixes

  • The AWS > KMS > Key > CMDB control was not properly handling access denied errors when checking the key rotation status and tags for AWS managed keys that block these actions. This has been fixed.

5.2.0 (2020-05-07)

What's new?

  • Updated AWS > KMS > Regions policy default value to now include af-south-1.

Bug fixes

  • The AWS > KMS > Key > Discovery control was not finding all AWS managed keys, e.g., aws/s3, so these keys were not being created in CMDB. This has been fixed and all keys are now accounted for.

Resource Types

Added

  • AWS > KMS > Alias

Control Types

Added

  • AWS > KMS > Alias > Configured
  • AWS > Turbot > Encryption
  • AWS > Turbot > Encryption > KMS

Policy Types

Added

  • AWS > KMS > Alias > Configured
  • AWS > KMS > Alias > Configured > Precedence
  • AWS > KMS > Alias > Configured > Source
  • AWS > KMS > Key > Active > Budget
  • AWS > KMS > Key > Approved > Budget
  • AWS > KMS > Tags Template [Default]
  • AWS > Turbot > Encryption
  • AWS > Turbot > Encryption > KMS
  • AWS > Turbot > Encryption > KMS > Key
  • AWS > Turbot > Encryption > KMS > Key > Alias Name Prefix
  • AWS > Turbot > Encryption > Source

Renamed

  • AWS > KMS > Key > Default Customer Managed Key to AWS > Region > KMS Key [Default]