Ensure that your Amazon AppFlow flows are encrypted using customer-managed Customer Master Keys (CMKs) in order to put you in full control over your encrypted data, and meet security and compliance requirements. A Customer Master Key (CMK) is managed by Amazon KMS service and represents a logical representation of a symmetric master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The KMS CMK also contains the key material used to encrypt and decrypt data.
Amazon AppFlow is a fully managed integration service that lets you securely transfer data between Software-as-a-Service (SaaS) applications and AWS cloud services. Amazon AppFlow encrypts your access tokens, secret keys, and data at rest. The flow data is encrypted by default using an AWS-managed encryption key. This meets general security requirements as it protects your data at rest. However, if you have strict compliance requirements for data encryption or your applications store and process sensitive or confidential data, you may need to create your own master key. With Amazon KMS, you can choose to use your own managed Customer Master Key (CMK) to encrypt your Amazon AppFlow flow data at rest.
To determine the encryption status and configuration for your Amazon AppFlow flows, perform the following operations:
Remediation / Resolution
To encrypt your Amazon AppFlow flows using customer-managed Customer Master Keys (CMKs), you have to re-create your AppFlow flows with the appropriate encryption type by performing the following operations:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable Data Encryption with KMS Customer Master Keys
Risk level: High