AWS KMS customer-managed keys in an Enabled state are assessed for the multi-Region setting. The finding highlights keys with the multi-Region property enabled.
Risk
Shared key material across Regions lets access in one Region decrypt data from another, eroding confidentiality and data residency. A misconfigured policy or weaker controls in a replica expand the blast radius. For signing/HMAC keys, compromise enables cross-Region signature forgery, impacting integrity and auditability.
prowler aws --checks kms_cmk_not_multi_region
Recommendation
Prefer single-Region keys by default; use multi-Region only with a documented need. Apply least privilege and separation of duties; limit who can create or replicate such keys. Isolate per Region/tenant/workload, standardize policy and logging across Regions, and retire multi-Region keys where unnecessary.
Remediation
- In the AWS Console, go to Key Management Service (KMS) > Customer managed keys
- Identify keys showing Multi-Region: Yes (these FAIL the check)
- Click Create key and ensure Multi-Region is not selected (single-Region)
- Update your services/aliases to use the new single-Region key
- Re-encrypt or rotate data to the new key where required
- After migration, disable the old multi-Region key and schedule its deletion
Source Code
Resource Type
AwsKmsKey