Finders Keypers: Open-source AWS KMS key usage finder

Finders Keypers is an open-source tool for analyzing the current usage of AWS KMS keys. It supports both AWS customer managed KMS keys and AWS Managed KMS keys.

Use cases include:

• Identifying the blast radius of specific KMS keys and the resources they may impact, such as S3 data, databases like RDS and DynamoDB, and more.
• Assessing encryption access control to determine which principals may have access to data and resources.
• Evaluating the impact of key lifecycle management, including key rotation, updates, and key retirement or deletion.
• Supporting audit and compliance efforts by analyzing potential key usage and access.
• Verifying default AWS settings for new resource creation and encryption configurations.

“While researching cloud encryption in AWS using AWS KMS, we noticed a major gap: visibility into using AWS KMS encryption keys and their impact on data security of multiple resources in AWS. One use case is if a KMS key is compromised, it may require key rotation and policy changes, which can have a significant downstream impact when changed and still being used by active resources —potentially leading to data loss,” Jason Kao, Founder of Fog Security, told Help Net Security.

“AWS’s recommended approaches for tracking KMS key usage, like checking key permissions and reviewing CloudTrail logs, have limitations. CloudTrail only retains history for 90 days, and permissions only show which principals have access, not direct links between data resources and keys. Our approach is different: we analyze each AWS service and its resources to map active KMS key usage, offering better visibility into the true blast radius,” Kao added.

Finders Keypers supports 28 different resource types across 21 AWS services, focusing on high-usage areas such as AWS Compute, database offerings, analytics services, storage, and secrets and configuration management. Each service and resource may require distinct API calls and IAM permissions, reflecting their unique security and access control requirements.

Future plans and download

“Our plans for future versions are to continue building and expanding coverage of Finders Keypers. We also plan to continue building in the cloud ransomware prevention and encryption management space, specifically tooling that helps users understand their data security, how protected their data is against ransomware, access to the data, and how their data is encrypted,” Kao explained.

Finders Keypers is available for free on GitHub.

Must read: