View Categories

Configure vault copy at AWS (cross account) with KMS

1 min read

With the greater use of encryption in all components, the challenge of configuring security and access between accounts grows. Especially when you need to increase resilience and strengthen yourself against ransomware. One of the most used protection features is the ‘vault copy’ which centralizes backups and snapshots in a dedicated account within your organization. The mechanism is simple to define: backing up a component and copying it to an exclusive storage account, where only authorized people can access them, reducing the attack surface and avoiding the spread of access and credentials.

When the component does not have encryption (KMS), setting up a workflow is relatively straightforward. But when there is a KMS involved – whether on an encrypted EC2 disk or an RDS – it adds some non-trivial security configuration steps that need to be performed.

  1. If the component is encrypted with the default KMS, AWS does not support it. You need to create a KMS key and encrypt the component if you are going to make the vault copy. If the component has already been encrypted with the default KMS, it will be necessary to migrate it and recreate it with the new key.
  2. The ‘target’ account needs to have the following permissions:
"ec2:CopyImage",
"rds:CopyDBSnapshot",
"rds:CopyDBClusterSnapshot"

And the ‘origin’ account:

"ec2:ModifyImageAttribute",
"ec2:ModifySnapshotAttribute",
"rds:ModifyDBSnapshotAttribute",
"rds:ModifyDBClusterSnapshotAttribute"

3. ‘Source’ account: give permission to the KMS key that encrypts the components for the destination account.

https://us-east-1.console.aws.amazon.com/kms/home

  • select KMS in “Customer Managed Keys”
  • in “Key Users” add the user or Role of this origin account that is on Cloud8
  • in “Other AWS accounts” add the target account ID

With this configuration, the “Destination” account can use this KMS from the “Origin” and delegate permissions to its users and roles.

4. In the “Destination” account, make sure that the user/role that is registered with Cloud8 can use this KMS.

  • select KMS in “Customer Managed Keys”
  • in “Key Users” add the user or Role of this target account that is on Cloud8
  • in “Key Users” put user/role that is on Cloud8

With this configuration, the “Destination” account can use the KMS of its same “Destination” account.

5. In the “Destination” account, within IAM, create an Inline Policy and associate it with the user/role that is configured in Cloud8.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUseOfTheKey",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:_____IDORIGIN_____:key/KEYID"
            ]
        },
        {
            "Sid": "AllowAttachmentOfPersistentResources",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:_____IDORIGIN_____:key/KEYID"
            ],
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
          }
        }
    ]
}

With this configuration, the destination account can use the “Source” key to decrypt/encrypt the copy.