A collection of AWS Security controls for AWS KMS. Controls include configuration to create KMS keys, IAM policies, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

KMS
KMS Customer Master Key (CMK)

Configuration to create an AWS KMS Customer Master Key (CMK).

CloudFormationTerraformAWS CLI
KMS Customer Master Key (CMK) with Automatic Key Rotation

Configuration to create an AWS KMS Customer Master Key (CMK) with automatic key rotation enabled.

CloudFormationTerraformAWS CLI
Multi-Region KMS Customer Master Key (CMK)

Configuration to create a Multi-Region AWS KMS Customer Master Key (CMK) with automatic key rotation enabled

CloudFormationAWS CLI
KMS Replica Key

Configuration to create an AWS KMS Replica Customer Key based on an existing multi-region key

CloudFormationAWS CLI
Multi-Region Replica Key

This template creates a multi-Region replica key in the local Region based on a multi-Region primary key in the US West (Oregon) (us-west-2) Region. The template specifies a description, a key policy, and a waiting period for key deletion (PendingWindowInDays). These properties are independent of the primary key and related replica keys in other AWS Regions.

CloudFormationTerraform
Multi-Region Primary Key

This template creates a multi-Region primary key. The key policy allows a specific IAM user to manage the key and another IAM user to view and use the key in cryptographic operations. The template enables key rotation and sets a pending window of 10 days.

CloudFormationTerraform
HMAC KMS Key with Key Policy for Users and Administrators

This template creates an with Key Policy for Users and Administrators. The key policy allows a specific IAM user to manage the key and another IAM user to generate and verify MACs using the key.

CloudFormationTerraform
Asymmetric KMS Key

This template creates an RSA asymmetric KMS key for signing and verification. The key policy allows a specific IAM user to manage the key and another IAM user to use the key for signing and verification.

CloudFormationTerraform
Symmetric Encryption KMS Key with Resource Tag

This template creates a symmetric encryption KMS key with a resource tag. The key policy allows a specific IAM user to manage the key.

CloudFormationTerraform
Symmetric Encryption KMS Key with Key Policy for Users and Administrators

This template creates a symmetric encryption KMS key. The key policy allows a specific IAM user to manage the key and another IAM user to view and use the key in cryptographic operations. The template also enables key rotation and sets a pending window of 20 days.

CloudFormationTerraform
KMS Key with Alias

This template creates an alias for a KMS key. The alias is identified by the name 'alias/exampleAlias' and is associated with the KMS key referenced by 'myKey'.

CloudFormationTerraform