Ensure that you have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process. KMS CMK customer-managed keys can be used to encrypt and decrypt data for multiple AWS components such as S3, Redshift, EBS and RDS.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you define and use your own CMK customer-managed keys, you gain complete control over who can use the keys and access your encrypted data. KMS CMK is providing the ability to create, rotate, disable, enable, and audit the encryption keys used to protect your data.
Note: this guide will use EBS volume encryption as example to demonstrate how CMK customer-managed keys can be used instead of AWS managed-keys. This will assume that you have encryption enabled for your EBS volumes.
To determine if you have any CMK customer-managed keys in use for your EBS volumes, perform the following:
Remediation / Resolution
To use your own CMK customer-managed key instead of the default / AWS-managed key to encrypt an EBS volume, perform the following:
- AWS Documentation
- What is AWS Key Management Service?
- AWS Key Management Service Concepts
- Creating Keys
- Amazon EBS Encryption
- Copying an Amazon EBS Snapshot
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
KMS Customer Master Key (CMK) In Use
Risk level: Medium