Ensure that your AWS X-Ray trace data is encrypted with Amazon KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys used by Amazon X-Ray service when there are no customer master keys configured for traces) in order to have more control over trace data encryption/decryption process and meet compliance and/or internal requirements. AWS X-Ray is a managed service that collects data about requests that your cloud application serves, providing tools that you can use to view, filter and gain insights into your app load to identify issues and opportunities for performance optimization.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
By default, Amazon X-Ray encrypts trace data using an AWS managed key named "aws/xray". To gain full control over your AWS X-Ray encryption key management, you need to create your own KMS Customer Master Key (CMK). Amazon KMS service allows you to easily rotate, disable and audit the CMK encryption key used for your X-Ray traces.
Audit
To determine the encryption configuration for your AWS X-Ray traces, perform the following actions:
Remediation / Resolution
To configure AWS X-Ray to encrypt traces and related data at rest with your own AWS KMS Customer Master Key (CMK), perform the following:
References
- AWS Documentation
- What Is AWS X-Ray?
- Configuring Encryption Settings in the AWS X-Ray Console
- AWS Key Management Service Concepts
- Creating Keys
- AWS Command Line Interface (CLI) Documentation
- xray
- get-encryption-config
- put-encryption-config
- kms
- describe-key
- create-key
- create-alias
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
X-Ray Data Encrypted With KMS Customer Master Keys
Risk Level: High