AWS-KMS-CMK-uses-external-key-material

Severity: High

Description: The control ensures that the symmetric customer managed KMS key uses external key material. A customer managed AWS KMS Symmetric key can either use AWS managed key material or external key material to encrypt the data. When using external key material, customer has to provide and manage the key material and has full control over the key.

Remediation Steps:

Perform following to create a new symmetric AWS KMS key with custom key material :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to KMS console.

  3. In the navigation pane on the left side of the console, choose Customer managed keys.

  4. Click Create Key button.

  5. Select Symmetric as key type.

  6. Expand Advanced options, select External.

  7. Check the box with note I understand the security, availability, and durability implications of using an imported key.

  8. Click Next.

  9. Add alias and tags as needed. Click Next.

  10. Add administrators and key deletion permissions as needed. Click Next.

  11. Add key usage permissions as needed. Click Next.

  12. Review policy, click Finish.

  13. Select wrapping algorithm and Download wrapping key and import token. Click Next.

  14. Upload the Wrapped key material and Import token. 

  15. Set the expiration options.

  16. Click Upload key material.

Important:

  • The key material origin cannot be changed after creating a AWS KMS symmetric key. The key with AWS managed key material must be deleted and either a new symmetric key with custom key material must be created or an existing key with custom key material should be used.

  • Deleting a KMS key will render the data encrypted using it unusable. Proper measures should be taken to verify that no required data is still encrypted with the key before key is deleted.

Reference:

Blue Hexagon Proprietary