Open menu
-->

AWS KMS Best Practices

AWS Key Management Service (KMS) provides easy access to create and control your encryption keys used to encrypt your data. KMS is integrated with AWS CloudTrail to provide an audit trail of all key usage to assist you in identifying any changes and ensuring you meet your regulatory and compliance requirements.



AWS Key Management Service (KMS) provides easy access to create and control your encryption keys used to encrypt your data. KMS is integrated with AWS CloudTrail to provide an audit trail of all key usage to assist you in identifying any changes and ensuring you meet your regulatory and compliance requirements.

Cloud Conformity checks AWS Key Management Service (KMS) service according to the following rules:

App-Tier Customer Master Key In Use
Ensure a customer created Customer Master Key (CMK) is created for the app tier.

AWS KMS Customer Master Key (CMK) In Use
Ensure KMS Customer Master Keys (CMK) are in use to have full control over the encryption / decryption process.

Database Tier Customer Master Key In Use
Ensure a customer created Customer Master Key (CMK) is created for the database tier.

Default AWS KMS Key Usage
Ensure that the default Amazon KMS keys are not being used.

Disabled AWS KMS keys
Identify and remove any disabled AWS KMS encryption keys to optimize your AWS costs.

Monitor AWS KMS Configuration Changes
Key Management Service (KMS) configuration changes have been detected within your AWS account.

AWS KMS Unknown Cross Account Access
Ensure Amazon KMS master keys do not allow unknown cross account access.

AWS KMS Exposed Keys
Ensure Amazon KMS master keys are not exposed to everyone.

Recover KMS Customer Master Keys
Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.

Enable AWS KMS Key Rotation
Ensure KMS key rotation feature is enabled for all your Customer Master Keys (CMK).

Remove unused KMS keys
Identify and remove any disabled Customer Master Keys (CMK) to reduce AWS costs.

Web-Tier Customer Master Key In Use
Ensure a customer created Customer Master Key (CMK) is created for the web tier.