Ensure customer master key (CMK) is not disabled for AWS Key Management Service (KMS)

HIGH

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

In AWS Console -

Sign in to the AWS Console and open the KMS Console.
Under Customer managed keys, choose the key you wish to edit.
If the Status shows Disabled, under the Key Actions drop-down, select Enable.

In Terraform -

In the aws_kms_key resource, ensure the field is_enabled is true.

References:
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key

Policy Details

Rule Reference ID: AC_AWS_0159

CSP: AWS

Remediation Available: Yes

Domain: Resilience

Resource: aws_kms_key

Resource Category: Management

Resource Type: Key Management Service (KMS)

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
SOC2
NY-DFS

Detections

Analytics