Ensure there is one Amazon KMS Customer Master Key (CMK) created in your AWS account for the web tier in order to protect data that transits your AWS web stack, have full control over data encryption/decryption process, and meet compliance requirements. Ideally, the AWS resources within your web tier should have tags such as <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured on the Cloud Conformity dashboard, in the rule settings.
When you use your own AWS KMS Customer Master Key (CMK) to protect the data within your web tier, you gain full control over who can use this key to access the web data, implementing the principle of least privilege on encryption key ownership and usage. The KMS service allows you to easily rotate, audit and even disable the key created for your web tier. Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To determine if a web-tier KMS Customer Master Key (CMK) exists in your AWS account, perform the following:
To create a dedicated AWS KMS Customer Master Key (CMK) to be used by AWS resources provisioned within your web tier, perform the following actions: