Best practice rules for AWS Key Management Service
AWS Key Management Service (KMS) provides easy access to create and control your encryption keys used to encrypt your data. KMS is integrated with AWS CloudTrail to provide an audit trail of all key usage to assist you in identifying any changes and ensuring you meet your regulatory and compliance requirements.
Trend Micro Cloud One™ – Conformity monitors AWS Key Management Service with the following rules:
- App-Tier KMS Customer Master Key (CMK) In Use
Ensure a customer created Customer Master Key (CMK) is created for the app tier.
- Database-Tier KMS Customer Master Key (CMK) In Use
Ensure a customer created Customer Master Key (CMK) is created for the database tier.
- Existence of Specific AWS KMS CMKs
Ensure that specific Amazon KMS CMKs are available for use in your AWS account.
- KMS Cross Account Access
Ensure Amazon KMS master keys do not allow unknown cross account access.
- KMS Customer Master Key (CMK) In Use
Ensure KMS Customer Master Keys (CMK) are in use to have full control over the encryption / decryption process.
- KMS Customer Master Key Pending Deletion
Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.
- Key Exposed
Ensure Amazon KMS master keys are not exposed to everyone.
- Key Rotation Enabled
Ensure KMS key rotation feature is enabled for all your Customer Master Keys (CMK).
- Monitor AWS KMS Configuration Changes
Key Management Service (KMS) configuration changes have been detected within your AWS account.
- Unused Customer Master Key
Identify and remove any disabled Customer Master Keys (CMK) to reduce AWS costs.
- Web-Tier KMS Customer Master Key (CMK) In Use
Ensure a customer created Customer Master Key (CMK) is created for the web tier.