Open camitz opened 1 year ago
tmekari
commented
1 year ago Hello, thank you for bringing this to our attention! As of now this is something we can offer in a future release with some caveats — a few remediations depend on this key so you’d be missing functionality for CloudTrail.1, CloudTrail.2, CloudWatch.2, Config.1, SNS.1, and SQS.1. I’ve added this to our backlog internally so we can track this.
julian-price
commented
2 months ago I agree with @camitz . I am investigating using this to auto remediate security issues in our AWS Org. We have enabled Control Tower and have about 120 accounts with 4 regions enabled. The automated response solution would cost 120 4 $1 = $480 in KMS keys alone, but outside of the cost of the keys, it would only come in around $55, based on my estimates of the number of checks we have failing. This means KMS costs would be 90% of the total monthly running cost, meaning the solution wouldn't really stack up for us at the moment.
Control Tower (and the CfCT which I would use to orchestrate the deployment) already has a common place for CMK KMS keys - in the audit account - and other AWS solutions such as the SRA utilise this to create a KMS key that is shared to the org. Here is an example of the SRA pre-requisite stack that creates a key shared to the org: https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-secrets-kms.yaml.
A solution like this may only be suitable for a Control Tower setup, but it would represent considerable cost savings over the current key per account, per region setup.
KMS Customer Managed Keys are expensive.
I'm looking at the cost examples in the documentation. Take the first one, $3.30/month. I believe it's wrong. 10 accounts is 10 keys. That's an extra $10/month.... the first year, then 20, 30 and so on.
Using customer managed keys should be opt-out by parameter.
Or having a shared key on the administrator account.