Detailed checklist | AWS KMS | 100% Free!

Monitor and audit KMS to ensure security, availability, reliability is not compromised.

Security

No KMS Key Exposed
Identify any publicly accessible AWS Key Management Service master keys and update their access policy in order to stop any unsigned requests made to these resources.

Key Rotation Enabled
When you enable automatic key rotation, AWS KMS rotates the CMK 365 days after the enable date and every 365 days thereafter.

Unused Customer Master Key

Limited number of KMS admins
KMS key policies should be designed to limit the number of users who can perform encrypt and decrypt operations. Each application should use its own key to avoid over exposure.

KMS Scheduled Deletion
Detects KMS keys that are scheduled for deletion. Deleting a KMS key will permanently prevent all data encrypted using that key from being decrypted. Avoid deleting keys unless no encrypted data is in use.

App-tier KMS Key in use
Ensure there is one Amazon KMS Customer Master Key (CMK) created in your AWS account for the app tier in order to protect data that transits your AWS application stack, have full control over encryption process, and meet security and compliance requirements.

Database-tier KMS Key in use
Ensure there is one Amazon KMS Customer Master Key (CMK) created in your AWS account for the database tier in order to protect data-at-rest available within your AWS web stack, have full control over encryption/decryption process, and meet security and compliance requirements.

Existence of specific AWS KMS CMKs
Ensure that a specific list of AWS KMS Customer Master Keys (CMKs) are available for use in your AWS account in order to meet strict security and compliance requirements in your organization.

KMS Cross Account Access present
Ensure that all your AWS Key Management Service keys are configured to be accessed only by trusted AWS accounts in order to protect against unauthorized cross account access.

KMS Customer Master Key in use
Ensure that you have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process.

Web-tier KMS Key in use
Ensure there is one Amazon KMS Customer Master Key (CMK) created in your AWS account for the web tier in order to protect data that transits your AWS web stack, have full control over data encryption/decryption process, and meet compliance requirements.

Sources

https://www.cloudanix.com/recipelist/aws/kmsmonitoring

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html

Help Us Improve!

If you have any suggestions to improve this checklist, please let us know by filling out this form.