Ensure that your AWS X-Ray trace data is encrypted with Amazon KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys used by Amazon X-Ray service when there are no customer master keys configured for traces) in order to have more control over trace data encryption/decryption process and meet compliance and/or internal requirements. AWS X-Ray is a managed service that collects data about requests that your cloud application serves, providing tools that you can use to view, filter and gain insights into your app load to identify issues and opportunities for performance optimization.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
By default, Amazon X-Ray encrypts trace data using an AWS managed key named "aws/xray". To gain full control over your AWS X-Ray encryption key management, you need to create your own KMS Customer Master Key (CMK). Amazon KMS service allows you to easily rotate, disable and audit the CMK encryption key used for your X-Ray traces.
To determine the encryption configuration for your AWS X-Ray traces, perform the following actions:
To configure AWS X-Ray to encrypt traces and related data at rest with your own AWS KMS Customer Master Key (CMK), perform the following: