Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optional customer managed keys #178

Open
camitz opened this issue Nov 14, 2023 · 2 comments
Open

Optional customer managed keys #178

camitz opened this issue Nov 14, 2023 · 2 comments
Labels
enhancement New feature or request triaged Has been triaged by solutions team

Comments

@camitz
Copy link

camitz commented Nov 14, 2023

KMS Customer Managed Keys are expensive.

I'm looking at the cost examples in the documentation. Take the first one, $3.30/month. I believe it's wrong. 10 accounts is 10 keys. That's an extra $10/month.... the first year, then 20, 30 and so on.

Using customer managed keys should be opt-out by parameter.

Or having a shared key on the administrator account.

@camitz camitz added the enhancement New feature or request label Nov 14, 2023
@tmekari
Copy link
Contributor

tmekari commented Nov 21, 2023

Hello, thank you for bringing this to our attention! As of now this is something we can offer in a future release with some caveats — a few remediations depend on this key so you’d be missing functionality for CloudTrail.1, CloudTrail.2, CloudWatch.2, Config.1, SNS.1, and SQS.1. I’ve added this to our backlog internally so we can track this.

@tmekari tmekari added the triaged Has been triaged by solutions team label Nov 21, 2023
@julian-price
Copy link

I agree with @camitz . I am investigating using this to auto remediate security issues in our AWS Org. We have enabled Control Tower and have about 120 accounts with 4 regions enabled. The automated response solution would cost 120 * 4 * $1 = $480 in KMS keys alone, but outside of the cost of the keys, it would only come in around $55, based on my estimates of the number of checks we have failing.
This means KMS costs would be 90% of the total monthly running cost, meaning the solution wouldn't really stack up for us at the moment.

Control Tower (and the CfCT which I would use to orchestrate the deployment) already has a common place for CMK KMS keys - in the audit account - and other AWS solutions such as the SRA utilise this to create a KMS key that is shared to the org. Here is an example of the SRA pre-requisite stack that creates a key shared to the org: https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-secrets-kms.yaml.

A solution like this may only be suitable for a Control Tower setup, but it would represent considerable cost savings over the current key per account, per region setup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request triaged Has been triaged by solutions team
Projects
None yet
Development

No branches or pull requests

3 participants