Ensure there is one Amazon KMS Customer Master Key (CMK) created in your AWS account for the app tier in order to protect data that transits your AWS application stack, have full control over encryption process, and meet security and compliance requirements. The AWS resources within your app tier should have a tag set such as <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured within the rule settings, on your Cloud Conformity account dashboard.
When you use your own AWS KMS Customer Master Key (CMK) to protect your app stack data, you gain full control over who can use this key to access the data, implementing the principle of least privilege on encryption key ownership and usage. The KMS service allows you to easily rotate, audit and disable the encryption key created for your app tier. Note: Make sure that you replace all <app_tier_tag>: <app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
To determine if an app-tier KMS Customer Master Key is currently available in your AWS account, perform the following actions:
To create a dedicated AWS KMS Customer Master Key (CMK) to be used by AWS resources and services within your app stack, perform the following: