gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-13 21:36:23 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md
View File

@@ -2,128 +2,125 @@
{{#include ../../../banners/hacktricks-training.md}}
## KMS - Key Management Service
## KMS - Sleutelbestuurdiens
AWS Key Management Service (AWS KMS) is presented as a managed service, simplifying the process for users to **create and manage customer master keys** (CMKs). These CMKs are integral in the encryption of user data. A notable feature of AWS KMS is that CMKs are predominantly **secured by hardware security modules** (HSMs), enhancing the protection of the encryption keys.
AWS Sleutelbestuurdiens (AWS KMS) word aangebied as 'n bestuurde diens, wat die proses vir gebruikers vereenvoudig om **klant meester sleutels** (CMKs) te **skep en te bestuur**. Hierdie CMKs is integraal in die versleuteling van gebruikersdata. 'n Opmerkelijke kenmerk van AWS KMS is dat CMKs hoofsaaklik **beveilig word deur hardeware sekuriteitsmodules** (HSMs), wat die beskerming van die versleuteling sleutels verbeter.
KMS uses **symmetric cryptography**. This is used to **encrypt information as rest** (for example, inside a S3). If you need to **encrypt information in transit** you need to use something like **TLS**.
KMS gebruik **simmetriese kriptografie**. Dit word gebruik om **inligting in rus te versleutelen** (byvoorbeeld, binne 'n S3). As jy **inligting in oordrag wil versleutelen**, moet jy iets soos **TLS** gebruik.
KMS is a **region specific service**.
KMS is 'n **streekspesifieke diens**.
**Administrators at Amazon do not have access to your keys**. They cannot recover your keys and they do not help you with encryption of your keys. AWS simply administers the operating system and the underlying application it's up to us to administer our encryption keys and administer how those keys are used.
**Administrateurs by Amazon het nie toegang tot jou sleutels nie**. Hulle kan nie jou sleutels herstel nie en hulle help jou nie met die versleuteling van jou sleutels nie. AWS bestuur eenvoudig die bedryfstelsel en die onderliggende toepassing; dit is aan ons om ons versleuteling sleutels te bestuur en te bestuur hoe daardie sleutels gebruik word.
**Customer Master Keys** (CMK): Can encrypt data up to 4KB in size. They are typically used to create, encrypt, and decrypt the DEKs (Data Encryption Keys). Then the DEKs are used to encrypt the data.
**Klant Meester Sleutels** (CMK): Kan data tot 4KB in grootte versleutelen. Hulle word tipies gebruik om die DEKs (Data Versleuteling Sleutels) te skep, versleutelen en ontsleutelen. Dan word die DEKs gebruik om die data te versleutelen.
A customer master key (CMK) is a logical representation of a master key in AWS KMS. In addition to the master key's identifiers and other metadata, including its creation date, description, and key state, a **CMK contains the key material which used to encrypt and decrypt data**. When you create a CMK, by default, AWS KMS generates the key material for that CMK. However, you can choose to create a CMK without key material and then import your own key material into that CMK.
'n Klant meester sleutel (CMK) is 'n logiese voorstelling van 'n meester sleutel in AWS KMS. Benewens die meester sleutel se identifiseerders en ander metadata, insluitend sy skeppingsdatum, beskrywing en sleuteltoestand, **bevat 'n CMK die sleutelmateriaal wat gebruik word om data te versleutelen en ontsleutelen**. Wanneer jy 'n CMK skep, genereer AWS KMS standaard die sleutelmateriaal vir daardie CMK. Jy kan egter kies om 'n CMK sonder sleutelmateriaal te skep en dan jou eie sleutelmateriaal in daardie CMK te invoer.
There are 2 types of master keys:
Daar is 2 tipes meester sleutels:
- **AWS managed CMKs: Used by other services to encrypt data**. It's used by the service that created it in a region. They are created the first time you implement the encryption in that service. Rotates every 3 years and it's not possible to change it.
- **Customer manager CMKs**: Flexibility, rotation, configurable access and key policy. Enable and disable keys.
- **AWS bestuurde CMKs: Gebruik deur ander dienste om data te versleutelen**. Dit word gebruik deur die diens wat dit in 'n streek geskep het. Hulle word geskep die eerste keer wat jy die versleuteling in daardie diens implementeer. Dit draai elke 3 jaar en dit is nie moontlik om dit te verander nie.
- **Klant bestuurder CMKs**: Buigsaamheid, rotasie, konfigureerbare toegang en sleutelbeleid. Aktiveer en deaktiveer sleutels.
**Envelope Encryption** in the context of Key Management Service (KMS): Two-tier hierarchy system to **encrypt data with data key and then encrypt data key with master key**.
**Envelope Versleuteling** in die konteks van Sleutelbestuurdiens (KMS): Twee-laag hiërargie stelsel om **data met data sleutel te versleutelen en dan data sleutel met meester sleutel te versleutelen**.
### Key Policies
### Sleutelbeleide
These defines **who can use and access a key in KMS**.
Hierdie definieer **wie 'n sleutel in KMS kan gebruik en toegang hê**.
By **default:**
Deur **standaard:**
- It gives the **IAM of the** **AWS account that owns the KMS key access** to manage the access to the KMS key via IAM.
- Dit gee die **IAM van die** **AWS rekening wat die KMS sleutel besit toegang** om die toegang tot die KMS sleutel via IAM te bestuur.
Unlike other AWS resource policies, a AWS **KMS key policy does not automatically give permission any of the principals of the account**. To give permission to account administrators, the **key policy must include an explicit statement** that provides this permission, like this one.
In teenstelling met ander AWS hulpbronbeleide, 'n AWS **KMS sleutelbeleid gee nie outomaties toestemming aan enige van die principals van die rekening nie**. Om toestemming aan rekening administrateurs te gee, moet die **sleutelbeleid 'n eksplisiete verklaring insluit** wat hierdie toestemming bied, soos hierdie een.
- Without allowing the account(`"AWS": "arn:aws:iam::111122223333:root"`) IAM permissions won't work.
- Sonder om die rekening toe te laat (`"AWS": "arn:aws:iam::111122223333:root"`) sal IAM toestemmings nie werk nie.
- It **allows the account to use IAM policies** to allow access to the KMS key, in addition to the key policy.
- Dit **laat die rekening toe om IAM beleide te gebruik** om toegang tot die KMS sleutel toe te laat, benewens die sleutelbeleid.
**Without this permission, IAM policies that allow access to the key are ineffective**, although IAM policies that deny access to the key are still effective.
**Sonder hierdie toestemming is IAM beleide wat toegang tot die sleutel toelaat, ondoeltreffend**, alhoewel IAM beleide wat toegang tot die sleutel ontken steeds doeltreffend is.
- It **reduces the risk of the key becoming unmanageable** by giving access control permission to the account administrators, including the account root user, which cannot be deleted.
**Default policy** example:
- Dit **verlaag die risiko dat die sleutel onbestuurbaar word** deur toegangbeheer toestemming aan die rekening administrateurs te gee, insluitend die rekening wortel gebruiker, wat nie verwyder kan word nie.
**Standaard beleid** voorbeeld:
```json
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
```
> [!WARNING]
> If the **account is allowed** (`"arn:aws:iam::111122223333:root"`) a **principal** from the account **will still need IAM permissions** to use the KMS key. However, if the **ARN** of a role for example is **specifically allowed** in the **Key Policy**, that role **doesn't need IAM permissions**.
> As die **rekening toegelaat is** (`"arn:aws:iam::111122223333:root"`) sal 'n **hoofpersoon** van die rekening **nog steeds IAM-toestemmings nodig hê** om die KMS-sleutel te gebruik. As die **ARN** van 'n rol byvoorbeeld **spesifiek toegelaat is** in die **Sleutelbeleid**, het daardie rol **nie IAM-toestemmings nodig nie**.
<details>
<summary>Policy Details</summary>
<summary>Beleid Besonderhede</summary>
Properties of a policy:
Eienskappe van 'n beleid:
- JSON based document
- Resource --> Affected resources (can be "\*")
- Action --> kms:Encrypt, kms:Decrypt, kms:CreateGrant ... (permissions)
- Effect --> Allow/Deny
- Principal --> arn affected
- Conditions (optional) --> Condition to give the permissions
- JSON-gebaseerde dokument
- Hulpbron --> Aangetaste hulpbronne (kan wees "\*")
- Aksie --> kms:Encrypt, kms:Decrypt, kms:CreateGrant ... (toestemmings)
- Effek --> Toelaat/Weier
- Hoofpersoon --> arn aangetaste
- Voorwaardes (opsioneel) --> Voorwaarde om die toestemmings te gee
Grants:
Toekennings:
- Allow to delegate your permissions to another AWS principal within your AWS account. You need to create them using the AWS KMS APIs. It can be indicated the CMK identifier, the grantee principal and the required level of opoeration (Decrypt, Encrypt, GenerateDataKey...)
- After the grant is created a GrantToken and a GratID are issued
- Laat toe om jou toestemmings aan 'n ander AWS-hoofpersoon binne jou AWS-rekening te delegeer. Jy moet dit skep met die AWS KMS API's. Dit kan die CMK-identifiseerder, die toekenningshoofpersoon en die vereiste vlak van operasie (Decrypt, Encrypt, GenerateDataKey...) aangedui word.
- Nadat die toekenning geskep is, word 'n GrantToken en 'n GrantID uitgereik.
**Access**:
**Toegang**:
- Via **key policy** -- If this exist, this takes **precedent** over the IAM policy
- Via **IAM policy**
- Via **grants**
- Via **sleutelbeleid** -- As dit bestaan, het dit **prioriteit** bo die IAM-beleid
- Via **IAM-beleid**
- Via **toekennings**
</details>
### Key Administrators
### Sleutel Administrators
Key administrator by default:
Sleuteladministrateur per standaard:
- Have access to manage KMS but not to encrypt or decrypt data
- Only IAM users and roles can be added to Key Administrators list (not groups)
- If external CMK is used, Key Administrators have the permission to import key material
- Het toegang om KMS te bestuur, maar nie om data te enkripteer of te dekripteer nie
- Slegs IAM-gebruikers en rolle kan by die Sleuteladministratorslys gevoeg word (nie groepe nie)
- As 'n eksterne CMK gebruik word, het Sleuteladministrators die toestemming om sleutelmateriaal te invoer
### Rotation of CMKs
### Rotasie van CMK's
- The longer the same key is left in place, the more data is encrypted with that key, and if that key is breached, then the wider the blast area of data is at risk. In addition to this, the longer the key is active, the probability of it being breached increases.
- **KMS rotate customer keys every 365 days** (or you can perform the process manually whenever you want) and **keys managed by AWS every 3 years** and this time it cannot be changed.
- **Older keys are retained** to decrypt data that was encrypted prior to the rotation
- In a break, rotating the key won't remove the threat as it will be possible to decrypt all the data encrypted with the compromised key. However, the **new data will be encrypted with the new key**.
- If **CMK** is in state of **disabled** or **pending** **deletion**, KMS will **not perform a key rotation** until the CMK is re-enabled or deletion is cancelled.
- Hoe langer dieselfde sleutel in plek gelaat word, hoe meer data word met daardie sleutel geënkripteer, en as daardie sleutel gecompromitteer word, is die blast area van data wyer in gevaar. Benewens dit, hoe langer die sleutel aktief is, hoe groter is die waarskynlikheid dat dit gecompromitteer sal word.
- **KMS roteer kliëntsleutels elke 365 dae** (of jy kan die proses handmatig uitvoer wanneer jy wil) en **sleutels bestuur deur AWS elke 3 jaar** en hierdie tyd kan nie verander word nie.
- **Ou sleutels word behou** om data te dekripteer wat voor die rotasie geënkripteer is.
- In 'n breek, sal die rotasie van die sleutel nie die bedreiging verwyder nie, aangesien dit moontlik sal wees om al die data wat met die gecompromitteerde sleutel geënkripteer is, te dekripteer. Tog, die **nuwe data sal geënkripteer word met die nuwe sleutel**.
- As **CMK** in 'n toestand van **gedeaktiveer** of **hangende** **verwydering** is, sal KMS **nie 'n sleutelrotasie uitvoer nie** totdat die CMK heraktiveer of die verwydering gekanselleer word.
#### Manual rotation
#### Handmatige rotasie
- A **new CMK needs to be created**, then, a new CMK-ID is created, so you will need to **update** any **application** to **reference** the new CMK-ID.
- To do this process easier you can **use aliases to refer to a key-id** and then just update the key the alias is referring to.
- You need to **keep old keys to decrypt old files** encrypted with it.
- 'n **Nuwe CMK moet geskep word**, dan, 'n nuwe CMK-ID word geskep, so jy sal **moet opdateer** enige **aansoek** om die nuwe CMK-ID te **verwys**.
- Om hierdie proses makliker te maak, kan jy **aliases gebruik om na 'n sleutel-id te verwys** en dan net die sleutel wat die alias verwys, opdateer.
- Jy moet **ou sleutels hou om ou lêers te dekripteer** wat daarmee geënkripteer is.
You can import keys from your on-premises key infrastructure .
Jy kan sleutels van jou plaaslike sleutel-infrastruktuur invoer.
### Other relevant KMS information
### Ander relevante KMS-inligting
KMS is priced per number of encryption/decryption requests received from all services per month.
KMS word geprys per aantal enkripsie/dekripsie versoeke wat van alle dienste per maand ontvang word.
KMS has full audit and compliance **integration with CloudTrail**; this is where you can audit all changes performed on KMS.
KMS het volle oudit en nakoming **integrasie met CloudTrail**; dit is waar jy al die veranderinge wat op KMS uitgevoer is, kan oudit.
With KMS policy you can do the following:
Met KMS-beleid kan jy die volgende doen:
- Limit who can create data keys and which services have access to use these keys
- Limit systems access to encrypt only, decrypt only or both
- Define to enable systems to access keys across regions (although it is not recommended as a failure in the region hosting KMS will affect availability of systems in other regions).
- Beperk wie data sleutels kan skep en watter dienste toegang het om hierdie sleutels te gebruik
- Beperk stelsels se toegang om slegs te enkripteer, slegs te dekripteer of albei
- Definieer om stelsels toe te laat om sleutels oor streke te benader (alhoewel dit nie aanbeveel word nie, aangesien 'n mislukking in die streek wat KMS huisves, die beskikbaarheid van stelsels in ander streke sal beïnvloed).
You cannot synchronize or move/copy keys across regions; you can only define rules to allow access across region.
### Enumeration
Jy kan nie sleutels oor streke sinkroniseer of beweeg/kopieer nie; jy kan slegs reëls definieer om toegang oor streke toe te laat.
### Enumerasie
```bash
aws kms list-keys
aws kms list-key-policies --key-id <id>
@@ -132,7 +129,6 @@ aws kms describe-key --key-id <id>
aws kms get-key-policy --key-id <id> --policy-name <name> # Default policy name is "default"
aws kms describe-custom-key-stores
```
### Privesc
{{#ref}}
@@ -151,12 +147,8 @@ aws kms describe-custom-key-stores
../aws-persistence/aws-kms-persistence.md
{{#endref}}
## References
## Verwysings
- [https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html)
{{#include ../../../banners/hacktricks-training.md}}