KMS Keys Should Not Be Exposed
Any publicly accessible AWS Key Management Service master keys should be identified and their access policy should be updated in order to stop any unsigned requests made to these resources.
Any publicly accessible AWS Key Management Service master keys should be identified and their access policy should be updated in order to stop any unsigned requests made to these resources.
When you enable automatic key rotation, AWS KMS rotates the CMK 365 days after the enable date and every 365 days thereafter.
Any disabled KMS Customer Master Keys in your AWS account should be removed in order to lower the cost of your monthly AWS bill.
KMS key policies should be designed to limit the number of users who can perform encrypt and decrypt operations. Each application should use its own key to avoid over exposure.
Any disabled AWS KMS Customer Master Keys (CMK) that have been accidentally or intentionally scheduled for deletion should be recovered in order to prevent losing any data encrypted with these keys.
There should be one Amazon KMS Customer Master Key (CMK) created in your AWS account for the app tier in order to protect data that transits your AWS application stack, have full control over encryption process, and meet security and compliance requirements.
There should be one Amazon KMS Customer Master Key (CMK) created in your AWS account for the database tier in order to protect data-at-rest available within your AWS web stack, have full control over encryption/decryption process, and meet security and compliance requirements.
Ensure that a specific list of AWS KMS Customer Master Keys (CMKs) are available for use in your AWS account in order to meet strict security and compliance requirements in your organization.
All your AWS Key Management Service keys should be configured to be accessed only by trusted AWS accounts in order to protect against unauthorized cross account access. This will help prevent data breaches and loss.
You should have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process.
There should be one Amazon KMS Customer Master Key (CMK) created in your AWS account for the web tier in order to protect data that transits your AWS web stack, have full control over data encryption/decryption process, and meet compliance requirements.
If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.