Optional customer managed keys

aws-solutions / automated-security-response-on-aws

Automated Security Response on AWS is an add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks. The solution makes it easier for AWS Security Hub customers to resolve common security findings and to improve their security posture in AWS.

https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/

Apache License 2.0

359 stars 102 forks source link

Optional customer managed keys #178

Open camitz opened 8 months ago

camitz commented 8 months ago

KMS Customer Managed Keys are expensive.

I'm looking at the cost examples in the documentation. Take the first one, $3.30/month. I believe it's wrong. 10 accounts is 10 keys. That's an extra $10/month.... the first year, then 20, 30 and so on.

Using customer managed keys should be opt-out by parameter.

Or having a shared key on the administrator account.

tmekari commented 7 months ago

Hello, thank you for bringing this to our attention! As of now this is something we can offer in a future release with some caveats — a few remediations depend on this key so you’d be missing functionality for CloudTrail.1, CloudTrail.2, CloudWatch.2, Config.1, SNS.1, and SQS.1. I’ve added this to our backlog internally so we can track this.