[text]
This Guidance shows you how to implement a customized key management strategy on AWS. This includes the capability to encrypt data at rest and in transit, provide least privilege access to keys, report on anomalies, and rotate keys based on requirements.
Please note: [Disclaimer]
Architecture Diagram
[text]
Step 1
Deploy and configure an AWS Security Tooling account for central key storage operations and sharing with AWS Organizations.
Step 2
Enable AWS Key Management Service (AWS KMS) automatic key rotation for AWS KMS key lifecycle management.
Step 3
Deploy an AWS Config managed rule to monitor AWS KMS lifecycle management in the Security Tooling account.
Step 4
Configure AWS KMS key policies to allow secure access across Organizations.
Step 5
Use AWS-managed AWS KMS keys and customer managed keys (CMKs) as required by your governance requirements.
Step 6
Use AWS Certificate Manager (ACM) to automate the generation and management of SSL certificates.
Step 7
Enforce Amazon Elastic Block Store (Amazon EBS) volume default behavior to be encrypted on generation. Monitor the encryption using AWS Config managed rules on all Organizations member accounts.
Step 8
Deploy AWS Config managed rules to monitor the encryption of AWS services with network connections.
Step 9
Deploy AWS Config managed rules to monitor the encryption of AWS services with persistent data.
Step 10
Receive notifications for compliance using Amazon Simple Notification Service (Amazon SNS).
Step 1
Deploy and configure an AWS Security Tooling account for central key storage operations and sharing with AWS Organizations.
Step 2
Enable AWS Key Management Service (AWS KMS) automatic key rotation for AWS KMS key lifecycle management.
Step 3
Deploy an AWS Config managed rule to monitor AWS KMS lifecycle management in the Security Tooling account.
Step 4
Configure AWS KMS key policies to allow secure access across Organizations.
Step 5
Use AWS-managed AWS KMS keys and customer managed keys (CMKs) as required by your governance requirements.
Step 6
Use AWS Certificate Manager (ACM) to automate the generation and management of SSL certificates.
Step 7
Enforce Amazon Elastic Block Store (Amazon EBS) volume default behavior to be encrypted on generation. Monitor the encryption using AWS Config managed rules on all Organizations member accounts.
Step 8
Deploy AWS Config managed rules to monitor the encryption of AWS services with network connections.
Step 9
Deploy AWS Config managed rules to monitor the encryption of AWS services with persistent data.
Step 10
Receive notifications for compliance using Amazon Simple Notification Service (Amazon SNS).
Additional Considerations
In cloud computing, a robust encryption and key management capability has become essential for customers. Encryption shields against data breaches and unauthorized access by rendering sensitive information indecipherable to malicious actors. Effective key management supports secure key generation, distribution, rotation, and storage, improving the efficiency of operations management and reducing insider threat risks. Moreover, compliance with various regulations—like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA)—demands data protection. As a result, encryption and key management are crucial for you to maintain regulatory adherence and foster customer trust. Developing an encryption and key management capability is imperative for you to safeguard data, achieve compliance, and secure sensitive information in the cloud.
Related Content
- Stakeholders: Security (primary), Central IT, Operations
- Supporting Capabilities: Identity Management and Access Control, Governance, Data Isolation, Network Security, Application Security
- For additional information on this capability, refer to Establishing Your Cloud Foundations on AWS.
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.