Ensure there is one Amazon KMS Customer Master Key (CMK) created in your AWS account for the database tier in order to protect data-at-rest available within your AWS web stack, have full control over encryption/decryption process, and meet security and compliance requirements. The AWS resources provisioned in your database tier should have a tag set such as <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> is the tag name and <data_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the database-tier tags must be configured within the rule settings, on your Cloud Conformity dashboard.
When you use your own AWS KMS Customer Master Key (CMK) to protect your database-tier data, you gain full control over who can use this key to access the data, implementing the principle of least privilege on encryption key ownership and usage. The KMS service allows you to easily rotate, audit and disable the encryption key created for your database tier. Note: Make sure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the database tier.
To determine if a database-tier KMS Customer Master Key was created within your AWS account, perform the following actions:
To create a dedicated AWS KMS Customer Master Key (CMK) to be used by AWS resources within your database tier, perform the following actions: