Configuration to create an AWS KMS Customer Master Key (CMK).

Configuration to create an AWS KMS Customer Master Key (CMK) with automatic key rotation enabled.

Configuration to create a Multi-Region AWS KMS Customer Master Key (CMK) with automatic key rotation enabled

Configuration to create an AWS KMS Replica Customer Key based on an existing multi-region key

This template creates a multi-Region replica key in the local Region based on a multi-Region primary key in the US West (Oregon) (us-west-2) Region. The template specifies a description, a key policy, and a waiting period for key deletion (PendingWindowInDays). These properties are independent of the primary key and related replica keys in other AWS Regions.

This template creates a multi-Region primary key. The key policy allows a specific IAM user to manage the key and another IAM user to view and use the key in cryptographic operations. The template enables key rotation and sets a pending window of 10 days.

This template creates an with Key Policy for Users and Administrators. The key policy allows a specific IAM user to manage the key and another IAM user to generate and verify MACs using the key.

This template creates an RSA asymmetric KMS key for signing and verification. The key policy allows a specific IAM user to manage the key and another IAM user to use the key for signing and verification.

This template creates a symmetric encryption KMS key with a resource tag. The key policy allows a specific IAM user to manage the key.

This template creates a symmetric encryption KMS key. The key policy allows a specific IAM user to manage the key and another IAM user to view and use the key in cryptographic operations. The template also enables key rotation and sets a pending window of 20 days.

This template creates an alias for a KMS key. The alias is identified by the name 'alias/exampleAlias' and is associated with the KMS key referenced by 'myKey'.

A configuration package to monitor KMS related API activity as well as configuration compliance rules to ensure the security of AWS KMS configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups

A config rule that checks that key rotation is enabled for each customer master key (CMK). The rule is COMPLIANT, if the key rotation is enabled for specific key object. The rule is not applicable to CMKs that have imported key material.

A config rule that checks that Customer Managed keys are not scheduled for deletion

Alarm if customer created CMKs get disabled or scheduled for deletion.

A CloudWatch Alarm that triggers on changes to customer created CMKs: Key creation, deletion, or enabling/disabling operations, as well as updates to CMK Key policies.

A CloudWatch Event Rule that detects KMS Customer Master Key (CMK) changes and publishes change events to an SNS topic for notification.

A CloudWatch Event Rule that triggers on AWS KMS Customer Master Key (CMK) deletion events.

A CloudWatch Event Rule that triggers on AWS KMS Customer Master Key (CMK) rotation events.

A CloudWatch Event Rule that triggers on AWS KMS Customer Master Key (CMK) imported material expiration events.

An IAM policy that allows IAM users read-only access to the AWS KMS console. That is, users can use the console to view all CMKs, but they cannot make changes to any CMKs or create new ones.

An IAM policy that allows IAM users to successfully request that AWS KMS encrypt and decrypt data with any CMK in the specified AWS account and region.

An IAM policy that allows IAM users to successfully request that AWS KMS encrypt and decrypt data with a specific CMK.

An IAM policy that prevents a user from disabling or deleting any CMKs, even when another IAM policy or a key policy allows these permissions.

This SCP prevents users or roles in any affected account from deleting KMS keys, either directly as a command or through the console.