Encryption & Key Management

AWS KMS

Name: AWS KMS
Rating: 2.2666666666666666 (18 reviews)
Author: Amazon Web Services

by Amazon Web Services

Covered

controls

Partial

controls

Gaps

controls

NIST 800-171 Coverage8%

Overview

AWS KMS by Amazon Web Services is an encryption & key management solution that covers 9 NIST 800-171 controls (8% total coverage). It addresses key requirements in the encryption & key management domain for defense contractors pursuing CMMC compliance.

Controls Covered (9)

sc-3-13-1 sc-3-13-8 sc-3-13-10 sc-3-13-11 mp-3-8-1 mp-3-8-2 ac-3-1-1 au-3-3-1 ia-3-5-1

Partially Covered (2)

cm-3-4-1 ra-3-11-1

Not Covered (2)

pe-3-10-1 si-3-14-1

Implementation Notes

Deploy AWS KMS with FIPS-validated configurations. Integrate with your SIEM for centralized audit logging. Review partial controls quarterly to identify supplementary tooling needs.

More Encryption & Key Management Products

Thales CipherTrust

Thales — 8% coverage

Entrust nShield

Entrust — 7% coverage

Venafi

Venafi — 5% coverage

HashiCorp Vault

HashiCorp — 7% coverage

Implementation Guidance for AWS KMS

Configure AWS KMS for NIST 800-171 compliance by implementing customer managed keys (CMKs) with automatic rotation enabled annually to satisfy SC-12 and SC-13 cryptographic protection requirements. Enable CloudTrail integration to capture all KMS API calls for SC-8 transmission confidentiality and AC-6 least privilege monitoring. For SC-28 protection at rest, configure KMS encryption for all S3 buckets, EBS volumes, and RDS instances using envelope encryption with unique data keys per object. Implement key policies with principle of least privilege, restricting kms:Decrypt and kms:GenerateDataKey permissions to specific IAM roles aligned with AC-3 access enforcement. Configure cross-region key replication for SC-5 denial of service protection and business continuity. Generate assessment evidence through CloudTrail logs showing encryption/decryption activities, KMS key usage reports demonstrating proper key rotation, and AWS Config rules validating encryption compliance across resources. Integrate with AWS IAM for identity-based policies, AWS Organizations for centralized key management across accounts, and third-party SIEM tools via CloudWatch Events for real-time monitoring. Common misconfigurations include using AWS managed keys instead of customer managed keys (limits rotation control), overly permissive key policies allowing cross-account access, disabled CloudTrail logging (prevents audit trails), and missing resource-level encryption policies that leave data unprotected.

Gap Analysis & Compensating Controls

AWS KMS does not cover SC-23 session authenticity or MP-6 media sanitization controls, creating significant compliance gaps. SC-23 requires cryptographic mechanisms to protect session authenticity, but KMS only handles data encryption at rest and in transit through other AWS services. Implement AWS Certificate Manager for TLS/SSL certificates and configure application-layer session tokens with HMAC signatures to address this gap. For MP-6 media sanitization, KMS encryption provides cryptographic erasure capabilities but lacks physical media destruction controls required for CUI storage devices. Deploy endpoint protection solutions like Microsoft BitLocker for workstation encryption and establish formal media sanitization procedures following NIST SP 800-88 guidelines. Document these gaps in your System Security Plan under 'Inherited Controls' section and create POA&M entries with specific timelines for remediation. The SC-23 gap should be prioritized highest as session management affects multiple CMMC Level 2 domains including Access Control (AC) and System and Communications Protection (SC). Implement compensating controls through network segmentation and multi-factor authentication while pursuing dedicated session management solutions. Cost impact includes additional tooling for session management ($15-25K annually) and formal media sanitization processes requiring specialized equipment and procedures.

Compliance Cost Estimate

AWS KMS pricing ranges from $1-3 per key per month plus $0.03 per 10,000 API requests, translating to $500-2,000 annually for typical defense contractor implementations with 50-200 keys. Initial configuration costs include 40-60 hours of security architect time ($8,000-12,000) for policy design, key hierarchy planning, and CloudTrail integration. Ongoing monitoring requires dedicated personnel time (0.25 FTE, $25,000 annually) for key rotation management, access reviews, and compliance reporting. AWS KMS is cost-competitive compared to dedicated HSM solutions ($15,000-50,000 annually) while providing superior integration with AWS services. However, it requires additional investment in CloudTrail storage ($200-500 monthly) and monitoring tools for comprehensive audit capabilities.

Compliance Cross-References

AWS KMS directly supports DFARS 252.204-7012 encryption requirements for CUI protection and satisfies CMMC Level 2 domains SC.3.177 (employ FIPS-validated cryptography), SC.3.191 (protect confidentiality using encryption), and SC.3.194 (separate user functionality from system management functionality through key management policies). The service aligns with FedRAMP controls SC-8, SC-12, SC-13, and SC-28, providing authorized cryptographic modules and key management capabilities. CMMC assessment objectives C037 (cryptographic protection implementation) and C166 (transmission confidentiality) are fully satisfied through KMS integration with other AWS services. However, assessors will require additional tools for objectives C038 (wireless access protection) and C177 (FIPS validation documentation), necessitating supplementary network security controls and formal cryptographic module validation evidence beyond KMS capabilities.

Frequently Asked Questions

How many NIST 800-171 controls does AWS KMS cover?

AWS KMS covers 9 of 110 NIST 800-171 controls (8%), with 2 partially covered and 2 gaps.

Can AWS KMS alone satisfy CMMC Level 2?

No single tool covers all 110 NIST 800-171 controls. AWS KMS covers 8% and should be part of a layered security stack addressing the remaining controls.

What controls does AWS KMS not cover?

AWS KMS does not cover controls pe-3-10-1, si-3-14-1. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.

Map Your Full Security Stack

See NIST 800-171 control coverage for 80+ security products.

Open NIST Tool Mapper

Track AWS KMS NIST 800-171 coverage updates with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

← All NIST Tool Mappings

Implementation Guidance for AWS KMS

Gap Analysis & Compensating Controls

Compliance Cost Estimate

Compliance Cross-References

Frequently Asked Questions

How many NIST 800-171 controls does AWS KMS cover?

AWS KMS covers 9 of 110 NIST 800-171 controls (8%), with 2 partially covered and 2 gaps.

Can AWS KMS alone satisfy CMMC Level 2?

No single tool covers all 110 NIST 800-171 controls. AWS KMS covers 8% and should be part of a layered security stack addressing the remaining controls.

What controls does AWS KMS not cover?

AWS KMS does not cover controls pe-3-10-1, si-3-14-1. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.