Ensure that you have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process. KMS CMK customer-managed keys can be used to encrypt and decrypt data for multiple AWS components such as S3, Redshift, EBS and RDS.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you define and use your own CMK customer-managed keys, you gain complete control over who can use the keys and access your encrypted data. KMS CMK is providing the ability to create, rotate, disable, enable, and audit the encryption keys used to protect your data.
Note: this guide will use EBS volume encryption as example to demonstrate how CMK customer-managed keys can be used instead of AWS managed-keys. This will assume that you have encryption enabled for your EBS volumes.
To determine if you have any CMK customer-managed keys in use for your EBS volumes, perform the following:
To use your own CMK customer-managed key instead of the default / AWS-managed key to encrypt an EBS volume, perform the following: