Skip to main content

New Customer Master Key

This alert occurs when Lacework detects the creation of a new AWS customer master key.

Why this Alert is Important

A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data. Because this is one of the primary keys to encrypt or decrypt data in the environment, it is important to safeguard the key material. If an attacker creates a new CMK, it would give the attacker the key material to decrypt data in your AWS environment.

Investigation

Search the audit logs to ensure only authorized individuals have access to create and delete the CMKs. Where possible, ensure secure key material that aligns with the organization standards is used. Search for details about whether it is a customer-managed CMK or an AWS-managed CMK.

Resolution

Ensure that all the CMK-related activities are managed by a system administrator with MFA enabled.

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html