By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

By Service Protected

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

Configuration Packages

Strategy Guides

Other

AWS KMS

A collection of AWS Security controls for AWS KMS. Controls include configuration to create KMS keys, IAM policies, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

KMS
KMS Customer Master Key (CMK)
Add to Stack

Configuration to create an AWS KMS Customer Master Key (CMK).

CloudFormationTerraformAWS CLI
KMS Customer Master Key (CMK) with Automatic Key Rotation
Add to Stack

Configuration to create an AWS KMS Customer Master Key (CMK) with automatic key rotation enabled.

CloudFormationTerraformAWS CLI
Multi-Region KMS Customer Master Key (CMK)
Add to Stack

Configuration to create a Multi-Region AWS KMS Customer Master Key (CMK) with automatic key rotation enabled

CloudFormationAWS CLI
KMS Replica Key
Add to Stack

Configuration to create an AWS KMS Replica Customer Key based on an existing multi-region key

CloudFormationAWS CLI
Monitoring & Compliance Packages
KMS Events and Compliance Rules Package

A configuration package to monitor KMS related API activity as well as configuration compliance rules to ensure the security of AWS KMS configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups

CloudFormationTerraform
Config Rule
KMS CMK Backing Key Rotation Enabled Check
Add to Stack

A config rule that checks that key rotation is enabled for each customer master key (CMK). The rule is COMPLIANT, if the key rotation is enabled for specific key object. The rule is not applicable to CMKs that have imported key material.

CloudFormationTerraformAWS CLI
KMS Keys Not Scheduled for Deletion Check
Add to Stack

A config rule that checks that Customer Managed keys are not scheduled for deletion

CloudFormationTerraformAWS CLI
CloudWatch Alarms
KMS CMKs Disabled or Deleted Alarm
Add to Stack

Alarm if customer created CMKs get disabled or scheduled for deletion.

CloudFormationTerraformAWS CLI
KMS Customer Master Key (CMK) Changes
Add to Stack

A CloudWatch Alarm that triggers on changes to customer created CMKs: Key creation, deletion, or enabling/disabling operations, as well as updates to CMK Key policies.

CloudFormationTerraformAWS CLI
CloudWatch Events
Detect KMS CMK Operations
Add to Stack

A CloudWatch Event Rule that detects KMS Customer Master Key (CMK) changes and publishes change events to an SNS topic for notification.

CloudFormationTerraformAWS CLI
Detect KMS CMK Deletion Events
Add to Stack

A CloudWatch Event Rule that triggers on AWS KMS Customer Master Key (CMK) deletion events.

CloudFormationTerraformAWS CLI
Detect KMS CMK Rotation Events
Add to Stack

A CloudWatch Event Rule that triggers on AWS KMS Customer Master Key (CMK) rotation events.

CloudFormationTerraformAWS CLI
Detect KMS CMK Expiration Events
Add to Stack

A CloudWatch Event Rule that triggers on AWS KMS Customer Master Key (CMK) imported material expiration events.

CloudFormationTerraformAWS CLI
IAM Policy
Allow a User Read-Only Access to All CMKs through the AWS KMS Console
Add to Stack

An IAM policy that allows IAM users read-only access to the AWS KMS console. That is, users can use the console to view all CMKs, but they cannot make changes to any CMKs or create new ones.

CloudFormationTerraformAWS CLI
Allow a User to Encrypt and Decrypt with Any CMK in a Specific AWS Account and Region
Add to Stack

An IAM policy that allows IAM users to successfully request that AWS KMS encrypt and decrypt data with any CMK in the specified AWS account and region.

CloudFormationTerraformAWS CLI
Allow a User to Encrypt and Decrypt with Specific CMKs
Add to Stack

An IAM policy that allows IAM users to successfully request that AWS KMS encrypt and decrypt data with a specific CMK.

CloudFormationTerraformAWS CLI
Prevent a User from Disabling or Deleting Any CMKs
Add to Stack

An IAM policy that prevents a user from disabling or deleting any CMKs, even when another IAM policy or a key policy allows these permissions.

CloudFormationTerraformAWS CLI
Service Control Policy
Prevent Users from Deleting KMS Keys
Add to Stack

This SCP prevents users or roles in any affected account from deleting KMS keys, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
Filter by source
 
KMS
Monitoring & Compliance Packages
Config Rule
CloudWatch Alarms
CloudWatch Events
IAM Policy
Service Control Policy