security_monkey
security_monkey copied to clipboard
Netflix
Security Monkey try's to scan AWS Managed KMS Keys, gets Access Denied
Please make sure that you have checked the boxes:
- [x] Pease review the Troubleshooting doc for additional details regarding your issue.
- [x] Review the Quickstart guide
- [x] Search for both open and closed issues regarding the problem you are experiencing
- [x] For permissions issues (Access Denied and credential related errors), please refer to the requisite docs before submitting an issue: AWS, GCP, OpenStack, GitHub
Description of issue:
I am seeing access denied errors in our Cloud Train logs when Security Monkey runs its scans. It is attempting to scan the AWS KMS key for ACM and is causing these alerts. I have IAM roles setup that give access to all KMS keys for scanning, however since this is an AWS Managed key you cannot configure key rotation on it.
It looks like this issue was covered before in #721 , however I am still seeing security monkey making API calls on the AWS managed KMS keys.
Log from CloudTrail:
Note: the key arn:aws:kms:us-east-1:xxxxx:key/xxxxx-cb29-48f1-ac9d-21bf05a1feca is aliased as aws/acm in our account.
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "xxxxx:secmonkey",
"arn": "arn:aws:sts::xxxxx:assumed-role/SecurityMonkey/secmonkey",
"accountId": "xxxxx",
"accessKeyId": "xxxxx",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-06-03T18:43:55Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "xxxxx",
"arn": "arn:aws:iam::xxxxx:role/SecurityMonkey",
"accountId": "xxxxx",
"userName": "SecurityMonkey"
}
}
},
"eventTime": "2019-06-03T18:44:07Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GetKeyRotationStatus",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.0.4.188",
"userAgent": "Boto3/1.9.132 Python/2.7.12 Linux/4.15.0-1039-aws Botocore/1.12.132",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::xxxxx:assumed-role/SecurityMonkey/secmonkey is not authorized to perform: kms:GetKeyRotationStatus on resource: arn:aws:kms:us-east-1:xxxxx:key/xxxxx-cb29-48f1-ac9d-21bf05a1feca",
"requestParameters": null,
"responseElements": null,
"requestID": "xxxxx-dbee-41bb-9eeb-xxxxx",
"eventID": "xxxxx-9a04-47bb-9339-xxxxx",
"eventType": "AwsApiCall",
"recipientAccountId": "xxxxx",
"vpcEndpointId": "vpce-xxxxx"
},
And here is our IAM policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"iam:ListRoleTags",
"cloudtrail:GetTrailStatus",
"lambda:GetFunctionConfiguration",
"ec2:DescribeSnapshots",
"iam:ListSigningCertificates",
"ses:GetEmailIdentity",
"ses:SendEmail",
"ec2:DescribeVolumes",
"config:DescribeConfigRules",
"ec2:DescribeKeyPairs",
"iam:ListRolePolicies",
"ses:ListDeliverabilityTestReports",
"iam:ListPolicies",
"iam:GetRole",
"sns:ListSubscriptionsByTopic",
"lambda:ListFunctions",
"s3:GetBucketWebsite",
"iam:ListSAMLProviders",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeSnapshotAttribute",
"lambda:ListAliases",
"iam:ListEntitiesForPolicy",
"s3:GetBucketNotification",
"cloudtrail:DescribeTrails",
"s3:GetReplicationConfiguration",
"directconnect:DescribeConnections",
"config:DescribeConfigurationRecorders",
"elasticloadbalancing:DescribeAccountLimits",
"ec2:DescribeImageAttribute",
"ses:ListVerifiedEmailAddresses",
"ec2:DescribeSubnets",
"ses:GetDeliverabilityTestReport",
"glacier:ListVaults",
"iam:GetRolePolicy",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetInventoryConfiguration",
"glacier:DescribeVault",
"ec2:DescribeRegions",
"ec2:DescribeFlowLogs",
"sns:ListTopics",
"s3:ListBucket",
"route53domains:GetDomainDetail",
"ec2:DescribeVpcAttribute",
"ses:ListDedicatedIpPools",
"ses:ListEmailIdentities",
"iam:ListInstanceProfilesForRole",
"route53domains:ListDomains",
"lambda:ListTags",
"rds:DescribeDBInstances",
"ses:GetConfigurationSet",
"elasticloadbalancing:DescribeListenerCertificates",
"iam:ListAttachedGroupPolicies",
"ses:ListIdentities",
"iam:ListAccessKeys",
"sns:GetTopicAttributes",
"iam:ListGroupPolicies",
"route53:ListHostedZones",
"iam:ListRoles",
"es:DescribeElasticsearchDomainConfig",
"s3:GetBucketVersioning",
"rds:DescribeDBSnapshotAttributes",
"ec2:DescribeSecurityGroups",
"es:ListDomainNames",
"s3:ListAllMyBuckets",
"ec2:DescribeVpcs",
"kms:ListAliases",
"s3:GetBucketCORS",
"elasticloadbalancing:DescribeTargetGroups",
"iam:ListGroups",
"iam:GetUser",
"iam:GetLoginProfile",
"iam:GetPolicyVersion",
"glacier:GetVaultAccessPolicy",
"iam:ListServerCertificates",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"ec2:DescribeInternetGateways",
"kms:DescribeCustomKeyStores",
"elasticloadbalancing:DescribeLoadBalancers",
"iam:ListAttachedRolePolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"route53:ListResourceRecordSets",
"elasticloadbalancing:DescribeInstanceHealth",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"ses:GetDedicatedIps",
"iam:GetServerCertificate",
"rds:DescribeDBSnapshots",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpcPeeringConnections",
"glacier:ListTagsForVault",
"iam:GetAccessKeyLastUsed",
"ses:GetIdentityVerificationAttributes",
"sqs:GetQueueAttributes",
"rds:DescribeDBSecurityGroups",
"ses:GetConfigurationSetEventDestinations",
"ec2:DescribeVpcClassicLink",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"ses:GetAccount",
"ses:GetBlacklistReports",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"acm:DescribeCertificate",
"iam:GetUserPolicy",
"lambda:ListEventSourceMappings",
"s3:GetAnalyticsConfiguration",
"elasticloadbalancing:DescribeRules",
"ec2:DescribeVpcEndpoints",
"iam:GetGroupPolicy",
"ec2:DescribeVpnGateways",
"ses:GetDeliverabilityDashboardOptions",
"ec2:DescribeAddresses",
"lambda:ListVersionsByFunction",
"rds:DescribeDBSubnetGroups",
"s3:GetBucketLogging",
"ec2:DescribeDhcpOptions",
"s3:GetAccelerateConfiguration",
"sqs:ListQueueTags",
"iam:ListMFADevices",
"ses:ListTagsForResource",
"s3:GetBucketPolicy",
"iam:GetGroup",
"ses:ListConfigurationSets",
"elasticloadbalancing:DescribeListeners",
"ec2:DescribeNetworkInterfaces",
"iam:ListAttachedUserPolicies",
"acm:ListCertificates",
"s3:GetMetricsConfiguration",
"elasticloadbalancing:DescribeSSLPolicies",
"sqs:ListQueues",
"elasticloadbalancing:DescribeTags",
"ec2:DescribeTags",
"ec2:DescribeNatGateways",
"iam:ListUserPolicies",
"s3:GetBucketAcl",
"ec2:DescribeImages",
"kms:ListKeys",
"sqs:ListDeadLetterSourceQueues",
"ses:GetDedicatedIp",
"rds:DescribeDBClusterSnapshots",
"elasticloadbalancing:DescribeTargetHealth",
"redshift:DescribeClusters",
"iam:ListUsers",
"ses:GetDomainStatisticsReport",
"s3:GetBucketLocation",
"lambda:GetPolicy",
"rds:DescribeDBClusters"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kms:GetParametersForImport",
"kms:ListKeyPolicies",
"kms:GetKeyRotationStatus",
"kms:ListRetirableGrants",
"kms:GetKeyPolicy",
"kms:DescribeKey",
"kms:ListResourceTags",
"kms:ListGrants"
],
"Resource": "arn:aws:kms:*:*:key/*"
}
]
}
Sorry -- just noticed this.
I wonder if this line of code: if alias.startswith('alias/aws/'): isn't being hit by the watcher.
