Details

AWS Key Management Service (KMS) by default provides service Customer Managed Keys (CMK). Customers also have the ability to create CMKs, which allows for configuration of key rotation and key policy which is applied to the customer created CMK.

You can use the key policy by itself to control who has access to the CMK and what actions each identity can perform. Controlling access this way specifies the full scope of access to the CMK in a single document (the key policy).

Customer created CMKs can be used for:

* AWS Service level encryption(e.g. EBS, RDS, S3)

* Key management for file/application level encryption

Ensures principle of least privilege on key ownership & usage

Solution

Using the Amazon unified command line interface:

* If there is no alias listed for App tier, create new KMS key and note the “KeyId” element:

aws kms create-key

* Create an alias for the App tier key using the above KeyId:

aws kms create-alias –alias-name __ –target-key-id __

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/260

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system amazon_aws.

References

• 800-53|AC-1

Source

• Tenable.com/audits