detect configuration of AWS-managed CMK's

[FireballDWF]

Need ability to filter on resource configurations which use AWS-managed CMK's. Use case is where customers with security sensitive (such as FSIs) workloads mandate the usage of Customer-Managed CMKs, thus need to detect resources which are configured to use AWS-Managed CMKs. (detecting AES256 and non-encrypted is already covered in bucket-encryption examples).

Potential syntax:

policies:
  - name: s3-bucket-encryption-KMS-aws-managed-cmk
    resource: s3
    region: us-east-1
    filters:
      - type: bucket-encryption
        state: True
        crypto: aws:kms
        key: KMSMasterKeyID
        op: regex
        value: ^(.*:alias\/aws\/.*)$

Design and implementation should factor in the need to support the same detection on EBS volumes, RDS instances, DynamoDB Tables, EFS. And eventually Redshift and Elasticache

[cpollard0]

I think you can get some of these already, i.e. below does RDS, same can be done for EBS.

Should we implement the same type: kms-alias filter on the additional resources?

---
policies:
  - name: identify-rds-using-default-kms
    resource: aws.rds
    description: |
      Identify RDS instances using default KMS key
    filters:
      - type: kms-alias
        key: AliasName
        value: ^(alias/aws/)
        op: regex