Ensure that your EBS volumes are using KMS CMK customer-managed keys instead of AWS managed-keys (default key used for volume encryption) in order to have more granular control over your data encryption and decryption process. Once implemented, the KMS CMK customer-managed keys will be used to encrypt and decrypt EBS data at rest, volume snapshots and disk I/O.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you create and use your own CMK customer-managed keys with EBS volumes, you gain full control over who can use the keys and access the data encrypted on these volumes. KMS CMK service allows you to create, rotate, disable, enable, and audit encryption keys.
To determine if your EBS volumes are encrypted with CMK customer-managed keys, perform the following:
To use your own CMK customer-managed key to encrypt an EBS volume, perform the following: