Description:

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.


Rationale:

KMS keys exposed would negatively effect if external threat has access to this information.


Remediation:

Enabling and disabling CMKs (console). You can enable and disable customer managed CMKs from the IAM section of the AWS Management Console.

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms
  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
  3. In the navigation pane, choose Customer managed keys.
  4. Select the check box for the CMKs that you want to enable or disable.
  5. To enable a CMK, choose Key actions, Enable. To disable a CMK, choose Key actions, Disable.


Reference:

https://aws.amazon.com/kms/