AWS KMS customer managed keys should not be multi-Region
kms_cmk_not_multi_region
Ensure that AWS KMS customer managed keys (CMKs) are not multi-region to maintain strict data control and compliance with security best practices.
Risk
Multi-region KMS keys can increase the risk of unauthorized access and data exposure, as managing access controls and auditing across multiple regions becomes more complex. This expanded attack surface may lead to compliance violations and data breaches.
prowler aws --checks kms_cmk_not_multi_region
arn:partition:kms:region:account-id:key/resource-id
Recommendation
Identify and replace multi-region keys with single-region KMS keys to enhance security and access control.
Remediation
aws kms create-key --no-multi-region
resource "aws_kms_key" "example" { description = "Single-region key" multi_region = false }
Multi-region keys should be used only when absolutely necessary, such as for cross-region disaster recovery, and should be carefully managed with strict access controls.
Source Code
Resource Type
AwsKmsKey