Detections
Analytics

Ensure KMS Customer Master Keys (CMKs) are used for encryption for AWS Storage Gateway Volumes

HIGH

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

Once a storage volume has been created, the encryption key cannot be changed and a new volume will need to be created with the appropriate settings. For more information on the limitations of volume encryption, or for steps on creating the gateway and volume to suit your needs, see the AWS documentation.

In Terraform -

  1. In the aws_storagegateway_cached_iscsi_volume resource, set kms_encrypted to true.
  2. Set the kms_key field to a valid KMS key ARN.

References:
https://docs.aws.amazon.com/storagegateway/latest/vgw/encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/storagegateway_cached_iscsi_volume#kms_encrypted

Policy Details

Rule Reference ID: AC_AWS_0367
CSP: AWS
Remediation Available: Yes
Domain: Security Best Practices
Resource: aws_storagegateway_cached_iscsi_volume
Resource Category: Storage
Resource Type: Storage Gateway

Frameworks