KMS Encryption for All Services

Required Policies for Turbot configurations of KMS Encryption:

Global Turbot Policies:

  • AWS > KMS > Default Key ID - This is set at the default which is alias/turbot/default. You can change this to an CMK to suit your needs.
  • AWS > KMS > Turbot Key - If using the alias/turbot/default key please make sure this policy is set.

CloudTrail:

  • AWS > CloudTrail > Enabled = Enabled
  • AWS > CloudTrail > Log File Validation = Enabled
  • AWS > CloudTrail > Trail Encryption at Rest = Enforce: AWS > CloudTrail > Trail Encryption at Rest KMS Key ID Template
  • AWS > CloudTrail > Trail Encryption at Rest KMS Key ID Template = This can bet to use the alias/turbot/default - or a custom KMS key.

Note: CloudTrail logs are encrypted at rest by AWS using S3 AES256 standard encryption. Turbot does not configure a custom KMS key for log file encryption.

EC2:

  • AWS > EC2 > Instance Approved
  • AWS > EC2 > Encryption at Rest
  • AWS > EC2 > Instance Approved Root Volume Encryption
  • AWS > EC2 > Snapshot Approved Encryption At Rest
  • AWS > EC2 > Volume Approved Encryption at Rest
  • AWS > EC2 > Volume Encryption at Rest KMS Key ID Template

Note: Turbot can enforce encryption at rest using the Encryption at Rest option. If enabled, Turbot will detect any unencrypted EBS volumes and immediately raise an alarm. Turbot does not delete or quarantine the instance as data migration may be required.

Note: EBS volume encryption has negligible impact on performance, but requires specific instance types, cannot be used for boot volumes and cannot be changed for existing volumes.
ElasticSearch:

Redshift:

  • AWS > Redshift > Cluster Approved
  • AWS > Redshift > Cluster Approved Encryption at Rest
  • AWS > Redshift > Cluster Encryption at Rest KMS Key ID Template
  • AWS > Redshift > Encryption in Transit

Note: Turbot can enforce encryption at rest for Redshift using the Redshift Encryption at Rest option. If enabled, Turbot can enforce AWS KMS - Use default AWS Redshift KMS key or KMS - Use a customer defined KMS key. Note: Encryption settings for existing Redshift clusters cannot be modified, if the encryption policy is raised then existing instances will raise an alarm. Note: Redshift encryption could degrade performance by 20-40%.

RDS:

  • AWS > RDS > Instance Approved
  • AWS > RDS > Instance Approved Encryption at Rest
  • AWS > RDS > Instance Encryption at Rest KMS Key ID Template

Note: Turbot can enforce encryption at rest for all database engines using the RDS Encryption at Rest option. If enabled, Turbot will detect any unencrypted database instances and immediately raise an alarm. Turbot does not delete or quarantine the instance as data migration may be required.

SQS:

  • AWS > SQS > Queue Encryption at Rest
  • AWS > SQS > Queue Encryption at Rest KMS Key ID Template

S3:

  • AWS > S3 > Encryption at Rest
  • AWS > S3 > Encryption at Rest KMS Key ID Template
  • AWS > S3 > Encryption in TransitV2

Note: Turbot supports enforcing encryption at rest through AWS S3 Managed Keys (AWS SSE), AWS KMS Managed Keys, or customer managed KMS keys.

Turbot can enforce encryption at rest for S3 objects using the S3 Encryption at Rest option. Turbot will automatically update S3 bucket policies and default encrytion settings to enforce the option if enabled.

Note: AWS > S3 > Encryption in TransitV2 offers more flexibility than AWS > S3 > Encryption in Transit.  For customers who aren't already using  AWS > S3 > Encryption in Transit, Turbot recommends using V2 of the policy.

Changes to this option will apply to newly created objects.

WorkSpaces:

- AWS > WorkSpaces > Workspace Approved Encryption at Rest
- AWS > WorkSpaces > Workspace Approved Encryption at Rest - Root Volume
- AWS > WorkSpaces > Workspace Approved Encryption at Rest - User Volume
- AWS > WorkSpaces > Workspace Encryption at Rest KMS Key ID Template

Was this article helpful?
0 out of 0 found this helpful