Links

AWS KMS

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes

Establish a Key Management Plan

Design Guidance:

AWS::KMS::Alias

Alias Name
Terraform
Target Key Id
Terraform

AWS::KMS::Key

Description
Terraform
Enabled
Terraform
Key Usage
Terraform

AWS::KMS::DescribeKey

Describe Key-Customer Master Key Spec
Describe Key-Custom Key Store Id
Describe Key-Origin

AWS::KMS::DescribeCustomKeyStores

Describe Custom Key Stores-Cloud Hsm Cluster Id
Describe Custom Key Stores-Custom Key Store Name
Describe Custom Key Stores-Trust Anchor Certificate

Limit Key Lifetime and Rotate Keys

Design Guidance:

AWS::KMS::Key

Enable Key Rotation
Terraform

Data Retention

Design Guidance:

AWS::KMS::Key

Pending Window In Days
Terraform

Asset Inventory

Design Guidance:

AWS::KMS::Key

Tags
Terraform