Ensure there is one Amazon KMS Customer Master Key (CMK) created in your AWS account for the database tier in order to protect data-at-rest available within your AWS web stack, have full control over encryption/decryption process, and meet security and compliance requirements. The AWS resources provisioned in your database tier should have a tag set such as <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> is the tag name and <data_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the database-tier tags must be configured within the rule settings, on your Cloud Conformity dashboard.
This rule can help you with the following compliance standards:
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you use your own AWS KMS Customer Master Key (CMK) to protect your database-tier data, you gain full control over who can use this key to access the data, implementing the principle of least privilege on encryption key ownership and usage. The KMS service allows you to easily rotate, audit and disable the encryption key created for your database tier.
Note: Make sure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the database tier.
Audit
To determine if a database-tier KMS Customer Master Key was created within your AWS account, perform the following actions:
Remediation / Resolution
To create a dedicated AWS KMS Customer Master Key (CMK) to be used by AWS resources within your database tier, perform the following actions:
References
- AWS Documentation
- What is AWS Key Management Service?
- AWS Key Management Service Concepts
- Viewing Keys
- Creating Keys
- Tagging Keys
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- kms
- list-keys
- list-resource-tags
- create-key
- create-alias
- tag-resource