Ensure that Amazon Storage Gateway service is using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys for tape data encryption, in order to have a fine-grained control over data-at-rest encryption/decryption process and meet regulatory and security requirements.
When you use your own AWS KMS Customer Master Keys (CMKs) to encrypt data available on Amazon Storage Gateway tapes, you have full control over who can use the encryption keys to access your data. Amazon Key Management Service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS Storage Gateway tapes.
To determine the encryption configuration for your AWS Storage Gateway tapes, perform the following:Note: Verifying encryption configuration for Amazon Storage Gateway tapes using AWS Management Console is not currently supported, the feature can be configured only through AWS Command Line Interface (CLI).
Data encryption using KMS Customer Master Keys (CMKs) cannot be enabled for existing Amazon Storage Gateway virtual tapes. To encrypt cached/stored tape data using your own Customer Master Keys, you have to re-create the specified tapes. To create the required AWS KMS CMK and relaunch the required virtual tapes, perform the following:Note: Creating and configuring Amazon Storage Gateway tapes using the AWS Management Console is not currently supported.