Ensure that Amazon Storage Gateway service is using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys) for volume data encryption, in order to have a fine-grained control over data-at-rest encryption/decryption process and meet compliance requirements.
When you use your own AWS KMS Customer Master Keys (CMKs) to encrypt data available on Amazon Storage Gateway volumes (cached or stored volumes), you have full control over who can use the encryption keys to access your data. Amazon Key Management Service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS Storage Gateway volumes.
To determine the encryption configuration for your AWS Storage Gateway volumes, perform the following actions:Note: Verifying encryption configuration for Amazon Storage Gateway volumes using AWS Management Console is not currently supported, the feature can be configured only through AWS Command Line Interface (CLI).
Remediation / Resolution
Encryption at rest using KMS Customer Master Keys (CMKs) cannot be configured for existing Amazon Storage Gateway volumes. To encrypt cached/stored volumes data using your own Customer Master Keys, you have to re-create the specified volumes. To create the required AWS KMS CMK and relaunch the required volumes, perform the following actions:Note: Creating and configuring Amazon Storage Gateway volumes using the AWS Management Console is not currently supported.
- AWS Documentation
- AWS Storage Gateway FAQs
- Encrypting Your Data Using AWS Key Management Service
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Use KMS Customer Master Keys for AWS Storage Gateway Volumes
Risk level: High