Ensure KMS Customer Master Key (CMK) In Use


KMS CMK customer-managed keys should be used in your account instead of AWS managed-keys in order to have full control over your data encryption and decryption process. KMS CMK customer-managed keys can be used to encrypt and decrypt data for multiple AWS components such as S3, Redshift, EBS, and RDS.


1. Login to the AWS Management Console.

2. Navigate to KMS dashboard.

3. In the left navigation panel, click Encryption Keys.

4. Click Create Key button from the top menu.

5. Enter an alias (name) and a description for the new CMK, then click Next Step.

6. Enter the tag key and tag value for the key

7. Under Key Administrators section, select which IAM users and/or roles can administer the CMK, then click Next Step.

8. Under This Account section, select which IAM users and/or roles can use the CMK to encrypt/decrypt data with the AWS KMS API.

9. (Optional) Under Other AWS Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt data. The owners of the external AWS accounts must also provide access to this CMK by creating policies for their IAM users.

10. Click Next Step.

11. Under Preview Key Policy section, click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: MyEBSDataCMK

12. Now the CMK must be implemented to encrypt/decrypt the EBS volume data. Navigate to EC2 dashboard.

13. Now create or update resources to use new KMS CMK key that is created by you.







We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!