Ensure that your EBS volumes are using KMS CMK customer-managed keys instead of AWS managed-keys (default key used for volume encryption) in order to have more granular control over your data encryption and decryption process. Once implemented, the KMS CMK customer-managed keys will be used to encrypt and decrypt EBS data at rest, volume snapshots and disk I/O.
When you create and use your own CMK customer-managed keys with EBS volumes, you gain full control over who can use the keys and access the data encrypted on these volumes. KMS CMK service allows you to create, rotate, disable, enable, and audit encryption keys.
To determine if your EBS volumes are encrypted with CMK customer-managed keys, perform the following:
To use your own CMK customer-managed key to encrypt an EBS volume, perform the following: