- Ensure that KMS Customer Master Keys (CMKs) are used by your AWS services and resources instead of default KMS keys, in order to have full control over data encryption/decryption process and meet compliance requirements. A KMS default master key is used by an AWS service such as RDS, EBS, Lambda, Elastic Transcoder, Redshift, SES, SQS, CloudWatch, EFS, S3 or Workspaces when no other key is defined to encrypt a resource for that service. The default key cannot be modified to ensure its availability, durability and security. On the other side, a KMS Customer Master Key (CMK) provides the ability to create, rotate, disable, enable and audit the encryption key used to protect the data.
When you use your own AWS KMS CMK instead of default KMS key to encrypt your data, you gain complete control over who can use this key to access the data, implementing the principle of least privilege on encryption key ownership and usage. An AWS service can use a KMS CMK on your behalf, but you always retain control of that key. Note: As example, this conformity rule demonstrates how Customer Master Keys (CMKs) can be used instead of AWS default master keys to encrypt Amazon EBS volumes.
To determine if the default KMS keys are used within your AWS account, perform the following actions:Note: As alternative, to determine whether a KMS key was used in the past or not for encryption, you can examine your existing AWS CloudTrail logs. You can go into your CloudTrail Event History and check the past events to determine the usage of the default master key. You can also use Amazon Athena to query and analyze your CloudTrail logs to find out more details about your KMS keys usage.
To use your own KMS Customer Master Key (CMK) instead of the AWS default master key to encrypt an EBS volume, perform the following actions: