Ensure that you have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process. KMS CMK customer-managed keys can be used to encrypt and decrypt data for multiple AWS components such as S3, Redshift, EBS and RDS.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you define and use your own CMK customer-managed keys, you gain complete control over who can use the keys and access your encrypted data. KMS CMK is providing the ability to create, rotate, disable, enable, and audit the encryption keys used to protect your data.
Note: this guide will use EBS volume encryption as example to demonstrate how CMK customer-managed keys can be used instead of AWS managed-keys. This will assume that you have encryption enabled for your EBS volumes.
Audit
To determine if you have any CMK customer-managed keys in use for your EBS volumes, perform the following:
Remediation / Resolution
To use your own CMK customer-managed key instead of the default / AWS-managed key to encrypt an EBS volume, perform the following:
References
- AWS Documentation
- What is AWS Key Management Service?
- AWS Key Management Service Concepts
- Creating Keys
- Amazon EBS Encryption
- Copying an Amazon EBS Snapshot
- AWS Command Line Interface (CLI) Documentation
- kms
- describe-key
- create-key
- create-alias
- describe-volumes
- describe-snapshots
- create-snapshot
- copy-snapshot
- detach-volume
- attach-volume
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
KMS Customer Master Key (CMK) In Use
Risk level: Medium