Monitor AWS KMS Configuration Changes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: KMS-007

Monitor AWS KMS Configuration Changes. Amazon Key Management Service (KMS) is a managed encryption service that enables you to easily encrypt your cloud data. AWS KMS provides a highly available key storage, management and auditing solution for you to encrypt your sensitive data across AWS services. KMS is integrated with other AWS services to help you protect the data you store and manage with these services. AWS KMS is also integrated with AWS CloudTrail to continuously monitor and retain user activity, in order to help meet your regulatory and compliance needs. Cloud Conformity RTMA uses the information collected by AWS CloudTrail to process and send notifications about the configurations changes made at the AWS KMS service level. The activity detected by Cloud Conformity RTMA engine, based on AWS CloudTrail logging data, could be, for example, any user request initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDKs, that triggers any of the KMS actions listed below:

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Real-Time Threat Monitoring


"CreateAlias" - Creates a display name for a customer-managed Customer Master Key (CMK).

"CreateGrant" - Adds a grant to a Customer Master Key (CMK). The grant specifies who can use the CMK and under what conditions.

"CreateKey" - Creates a Customer Master Key (CMK) within the caller's AWS account.

"EnableKey" - Sets the state of a key to enabled, in order to allow its use for cryptographic operations.

"EnableKeyRotation" - Enables automatic rotation of the key material for the specified Customer Master Key (CMK).

"ImportKeyMaterial" - Imports key material into an existing AWS KMS CMK that was created without key material.

"PutKeyPolicy" - Attaches a key policy to the specified Customer Master Key (CMK).

"RetireGrant" - Retires a grant. A grant specifies who can use the CMK and under what conditions.

"RevokeGrant" - Revokes the selected grant for the specified key.

"ScheduleKeyDeletion" - Schedules the deletion of a Customer Master Key (CMK).

"TagResource" - Adds or edits tags for a KMS CMK.

"UntagResource" - Removes the selected tags from the specified Customer Master Key (CMK).

"UpdateAlias" - Associates an existing alias with a different AWS KMS CMK.

"UpdateKeyDescription" - Updates the description of a KMS CMK.

"DisableKey" - Sets the state of a Customer Master Key (CMK) to disabled.

"DisableKeyRotation" - Disables automatic rotation of the key material for the specified KMS Customer Master Key (CMK).

"CancelKeyDeletion" - Cancels the deletion of a Customer Master Key (CMK).

"DeleteAlias" - Deletes the specified key alias.

"DeleteImportedKeyMaterial" - Deletes key material that you previously imported. This operation makes the specified CMK unusable.

Because of its important role within your AWS cloud environment, i.e. it’s used to encrypt your application data, Cloud Conformity strongly recommends that you avoid as much as possible to provide your IAM users the permission to change the AWS Key Management Service (KMS) configuration. The communication channels required for sending RTMA notifications can be configured within your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for AWS KMS are SMS, Email, Slack, PagerDuty, Zendesk and ServiceNow.


Monitoring is an important part of understanding the availability, state, configuration and usage of your Customer Master Keys (CMKs) within AWS KMS. As a security best practices, you need to be aware of all the configuration changes made at the Amazon KMS service level. When you are using AWS Key Management Service, you gain more control over access to data you encrypt. You can use the key management and cryptographic features directly in your applications or through AWS services that are integrated with Amazon KMS. KMS enables you to maintain control over who can use your Customer Master Keys (CMKs) and gain full access to your encrypted cloud data, therefore, monitoring any configuration change performed at the AWS KMS level is fundamental for keeping your encrypted data secure.


Publication date Sep 9, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Monitor AWS KMS Configuration Changes

Risk level: High