More Info:

Ensure that a specific list of AWS KMS Customer Master Keys (CMKs) are available for use in your AWS account in order to meet strict security and compliance requirements in your organization.

Risk Level

Low

Address

Security

Compliance Standards

NIST

Remediation

How to ensure specific customer managed keys are used.

Using AWS Console

  1. Open the AWS Management Console and navigate to the service where you want to enforce the use of specific CMKs. Examples include Amazon S3, Amazon EBS, or AWS Lambda.
  2. Identify the specific CMK(s) that you want to enforce for encryption. These CMKs could be existing keys or ones that you need to create. (In the Cloudanix Console, navigate to “Misconfig” page and look for Affected Assets for “Existence of specific AWS KMS CMKs” Policy.)
  3. Follow the steps specific to the service you are working with: a. Amazon S3:
    • Open the S3 console and navigate to the bucket for which you want to enforce CMK usage.
    • Click on the “Properties” tab.
    • Scroll down to the “Default encryption” section.
    • Enable default encryption and select “AWS Key Management Service (AWS KMS)” as the encryption type.
    • Choose the desired CMK(s) from the drop-down list.
    • Click “Save” to apply the changes. b. Amazon EBS:
    • Open the EC2 console and navigate to the “EBS Volumes” page.
    • Select the EBS volume for which you want to enforce CMK usage.
    • From the “Actions” menu, choose “Modify Volume”.
    • In the “Modify Volume” dialog box, select the desired CMK from the “Encryption” section.
    • Click “Modify” to apply the changes. c. AWS Lambda:
    • Open the Lambda console and navigate to the function for which you want to enforce CMK usage.
    • Click on the “Configuration” tab.
    • Scroll down to the “Encryption configuration” section.
    • Enable encryption in transit and select “Use AWS Key Management Service (AWS KMS) key” as the encryption key type.
    • Choose the desired CMK from the drop-down list.
    • Click “Save” to apply the changes.
  4. Repeat the steps for each service or resource where you want to enforce the use of specific CMKs.

Additional Reading: