AWS KMS Audit

Audit your KMS to safe gaurd your data

What we do?

KMS Keys Should Not Be Exposed

Any publicly accessible AWS Key Management Service master keys should be identified and their access policy should be updated in order to stop any unsigned requests made to these resources.

KMS Key Rotation Should Be Enabled

When you enable automatic key rotation, AWS KMS rotates the CMK 365 days after the enable date and every 365 days thereafter.

Unused Customer Master Key Should Be Removed

Any disabled KMS Customer Master Keys in your AWS account should be removed in order to lower the cost of your monthly AWS bill.

KMS Key Policies Should Be Designed To Limit Number Of KMS Admins

KMS key policies should be designed to limit the number of users who can perform encrypt and decrypt operations. Each application should use its own key to avoid over exposure.

KMS Keys Scheduled For Deletion Should Be Recovered

Any disabled AWS KMS Customer Master Keys (CMK) that have been accidentally or intentionally scheduled for deletion should be recovered in order to prevent losing any data encrypted with these keys.

App-tier KMS Key Should Be In Use

There should be one Amazon KMS Customer Master Key (CMK) created in your AWS account for the app tier in order to protect data that transits your AWS application stack, have full control over encryption process, and meet security and compliance requirements.

Database-tier KMS Key Should Be In Use

There should be one Amazon KMS Customer Master Key (CMK) created in your AWS account for the database tier in order to protect data-at-rest available within your AWS web stack, have full control over encryption/decryption process, and meet security and compliance requirements.

Existence Of Specific AWS KMS CMKs

Ensure that a specific list of AWS KMS Customer Master Keys (CMKs) are available for use in your AWS account in order to meet strict security and compliance requirements in your organization.

KMS Keys Should Not Allow Unknown Cross Account Access

All your AWS Key Management Service keys should be configured to be accessed only by trusted AWS accounts in order to protect against unauthorized cross account access. This will help prevent data breaches and loss.

KMS Customer Master Key Should Be In Use

You should have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process.

Web-tier KMS Key Should Be In Use

There should be one Amazon KMS Customer Master Key (CMK) created in your AWS account for the web tier in order to protect data that transits your AWS web stack, have full control over data encryption/decryption process, and meet compliance requirements.


Not ready for a free signup yet? No worries!

We suggest you use the checklist!

If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.