Best practices

KMS default keys in use

Risk Level

Informational (4)



It was found that {AwsKmsKey} is an AWS-managed key, which is the default. Check AWS services to ensure the default KMS key is not being used.
  • Recommended Mitigation

    It is recommended to use customer-managed CMKs instead AWS-managed. Customer-managed CMKs enable improved control over the key management process compared to AWS-managed CMKs. With customer-managed CMK, generation, deletion, access policy and scope of use are all in the customer responsibility and control.