Best practice rules for AWS Key Management Service
AWS Key Management Service (KMS) provides easy access to create and control your encryption keys used to encrypt your data. KMS is integrated with AWS CloudTrail to provide an audit trail of all key usage to assist you in identifying any changes and ensuring you meet your regulatory and compliance requirements.
Trend Micro Cloud One™ – Conformity monitors AWS Key Management Service with the following rules:
- App-Tier KMS Customer Master Key (CMK) In Use
Ensure a customer created Customer Master Key (CMK) is created for the app tier.
- Database-Tier KMS Customer Master Key (CMK) In Use
Ensure a customer created Customer Master Key (CMK) is created for the database tier.
- Existence of Specific AWS KMS CMKs
Ensure that specific Amazon KMS CMKs are available for use in your AWS account.
- KMS Cross Account Access
Ensure Amazon KMS master keys don't allow unknown cross account access.
- KMS Customer Master Key (CMK) In Use
Ensure KMS Customer Master Key (CMK) is in use to have full control over encrypting and decrypting data.
- KMS Customer Master Key Pending Deletion
Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.
- Key Exposed
Ensure Amazon KMS master keys aren't exposed to everyone.
- Key Rotation Enabled
Ensure that automatic rotation for Customer Managed Keys (CMKs) is enabled.
- Monitor AWS KMS Configuration Changes
Key Management Service (KMS) configuration changes have been detected within your AWS account.
- Unused Customer Master Key
Identify unused customer master keys, and delete them to help lower the cost of your monthly AWS bill.
- Web-Tier KMS Customer Master Key (CMK) In Use
Ensure a customer created Customer Master Key (CMK) is created for the web tier.