Ensure that you have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process. KMS CMK customer-managed keys can be used to encrypt and decrypt data for multiple AWS components such as S3, Redshift, EBS and RDS.
When you define and use your own CMK customer-managed keys, you gain complete control over who can use the keys and access your encrypted data. KMS CMK is providing the ability to create, rotate, disable, enable, and audit the encryption keys used to protect your data. Note: this guide will use EBS volume encryption as example to demonstrate how CMK customer-managed keys can be used instead of AWS managed-keys. This will assume that you have encryption enabled for your EBS volumes.
To determine if you have any CMK customer-managed keys in use for your EBS volumes, perform the following:
To use your own CMK customer-managed key instead of the default / AWS-managed key to encrypt an EBS volume, perform the following: