Ensure that your EBS volumes are using KMS CMK customer-managed keys instead of AWS managed-keys (default key used for volume encryption) in order to have more granular control over your data encryption and decryption process. Once implemented, the KMS CMK customer-managed keys will be used to encrypt and decrypt EBS data at rest, volume snapshots and disk I/O.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you create and use your own CMK customer-managed keys with EBS volumes, you gain full control over who can use the keys and access the data encrypted on these volumes. KMS CMK service allows you to create, rotate, disable, enable, and audit encryption keys.
To determine if your EBS volumes are encrypted with CMK customer-managed keys, perform the following:
Remediation / Resolution
To use your own CMK customer-managed key to encrypt an EBS volume, perform the following:
- AWS Documentation
- Amazon Elastic Block Store (Amazon EBS)
- Amazon EBS Encryption
- Copying an Amazon EBS Snapshot
- What is AWS Key Management Service?
- AWS Key Management Service Concepts
- Creating Keys
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
EBS Encrypted With KMS Customer Master Keys
Risk level: High