AWS KMS Audit

Audit your KMS to safe gaurd your data

What we do?

No KMS Key Exposed

Identify any publicly accessible AWS Key Management Service master keys and update their access policy in order to stop any unsigned requests made to these resources.

Addresses: Security

Key Rotation Enabled

When you enable automatic key rotation, AWS KMS rotates the CMK 365 days after the enable date and every 365 days thereafter.

Addresses: Security

Additional Reading:

Unused Customer Master Key

Addresses: Security, Operational Maturity, Cost optimization

Limited number of KMS admins

KMS key policies should be designed to limit the number of users who can perform encrypt and decrypt operations. Each application should use its own key to avoid over exposure.

Addresses: Security

Additional Reading:

KMS Scheduled Deletion

Detects KMS keys that are scheduled for deletion. Deleting a KMS key will permanently prevent all data encrypted using that key from being decrypted. Avoid deleting keys unless no encrypted data is in use.

Addresses: Security

Additional Reading:

App-tier KMS Key in use

Ensure there is one Amazon KMS Customer Master Key (CMK) created in your AWS account for the app tier in order to protect data that transits your AWS application stack, have full control over encryption process, and meet security and compliance requirements.

Addresses: Security

Database-tier KMS Key in use

Ensure there is one Amazon KMS Customer Master Key (CMK) created in your AWS account for the database tier in order to protect data-at-rest available within your AWS web stack, have full control over encryption/decryption process, and meet security and compliance requirements.

Addresses: Security

Existence of specific AWS KMS CMKs

Ensure that a specific list of AWS KMS Customer Master Keys (CMKs) are available for use in your AWS account in order to meet strict security and compliance requirements in your organization.

Addresses: Security

KMS Cross Account Access present

Ensure that all your AWS Key Management Service keys are configured to be accessed only by trusted AWS accounts in order to protect against unauthorized cross account access.

Addresses: Security

KMS Customer Master Key in use

Ensure that you have KMS CMK customer-managed keys in use in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process.

Addresses: Security

Web-tier KMS Key in use

Ensure there is one Amazon KMS Customer Master Key (CMK) created in your AWS account for the web tier in order to protect data that transits your AWS web stack, have full control over data encryption/decryption process, and meet compliance requirements.

Addresses: Security


Not ready for a free signup yet? No worries!

We suggest you use the checklist!

If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.