I'm currently using a single customer master key (CMK) for encryption across multiple AWS data services, including Redshift, RDS, EBS, and Redis. While I know this isn't the best practice, at least the data is encrypted at rest. I'm wondering if having one CMK is a satisfactory starting point for becoming SOC2 compliant. We're considering breaking this CMK into separate keys for each specific AWS service, such as `prod-redshift-cmk`, `prod-rds-cmk`, `prod-ebs-cmk`, and `prod-cache-cmk`. Is it better to go with multiple keys, or is a single `prod-data-cmk` sufficient?
1 Answer
Using a single CMK can meet SOC2 requirements since auditors look for evidence of encryption at rest and control over the key—not necessarily how many keys you have. However, splitting your keys has its advantages: it limits blast radius (if one key fails, not all services are affected), allows you to enforce least privilege through scoped key policies, makes it easier to analyze CloudTrail logs, and simplifies key rotation processes. Your plan to create specific keys is solid and I’d recommend adding S3 and Secrets Manager if they’re in use, but avoid getting too granular—`prod-redshift-cmk` is good, but `prod-us-east-1-redshift-primary-cmk-v2` is overkill! Also, consider monitoring your CMKs for better oversight.
That makes a lot of sense! Right now, we're mainly focused on at-rest encryption with our `prod-data-cmk`. But as we grow, separating these keys will be important, especially since we transfer snapshots across regions. Your insights definitely help with our SOC2 compliance—thanks!