Skip to main content

KMS Concentration Risk

KMS concentration risk answers: "If this one encryption key is compromised or deleted, how much of your business shuts down?"

Organizations often use a single KMS key to encrypt hundreds of S3 buckets and RDS instances. If that key is deleted, disabled, or its policy misconfigured, every dependent resource becomes inaccessible. This is a cryptographic single point of failure.

The concentration model

KMS Key (1) → encrypts → S3 (200 buckets) + RDS (50 instances) + EBS (100 volumes)

Key deletion = 350 resources inaccessible

Scanners check if encryption is ON. Stave checks if the encryption dependency is concentrated in a single point of failure.

How it works

The extractor counts the resources encrypted with each KMS key:

properties:
cryptography:
kind: key
key_concentration:
resource_count: 450
service_count: 5
has_deletion_protection: false
has_multi_region_replica: false

Controls

CTL.KMS.CONCENTRATION.001 — Key encrypts > 50 resources

Fires when: resource_count > 50
Severity: high

A single key encrypts too many resources. Key misconfiguration has a disproportionate blast radius.

Remediation: Create per-service or per-application KMS keys.

CTL.KMS.CONCENTRATION.002 — High-density key lacks deletion protection

Fires when: resource_count > 50
AND has_deletion_protection == false
Severity: critical

A high-density key can be deleted with a single API call. The 7-day minimum waiting period is the only grace period.

Remediation: Enable key deletion protection. Deny kms:ScheduleKeyDeletion via SCP.

Safety chain: crypto_concentration_failure

id: crypto_concentration_failure
controls:
- CTL.KMS.CONCENTRATION.001
- CTL.KMS.CONCENTRATION.002
- CTL.KMS.ROTATION.001
escalation_threshold: 2
compound_severity: critical

Key files

FilePurpose
controls/kms/concentration/CTL.KMS.CONCENTRATION.001-002.yaml2 concentration controls
controls/kms/isolation/CTL.KMS.ISOLATION.001.yamlKey domain isolation control
chains/crypto_concentration_failure.yamlConcentration compound chain
chains/cryptographic_boundary_collapse.yamlIsolation + cross-env compound chain

Concentration checks how many resources depend on one key. Isolation checks whether a key is shared across sensitivity domains. See CTL.KMS.ISOLATION.001 — a PHI key shared with a dev bucket collapses the cryptographic boundary even if concentration is low.