Objective:Ensure that encryption keys are managed securely by enforcing
the use of approved algorithms, regular key rotation, and
customer-managed encryption keys (CMEKs).
Publication of events, metrics, and runtime logs may be disabled, leading
to a lack of expected security and operational information being shared.
This can impact system availability by delaying the detection of
incidents while also impacting system design decisions and enforcement of
operational thresholds, such as autoscaling or cost management.
The service automatically publishes structured, numeric, time-series data points related to
the performance, availability, and health of the service or its child resources.
When encryption keys are used, the service MUST verify that
all encryption keys use the latest industry-standard cryptographic
algorithms.
tlp-amber
tlp-red
CCC.Core.C11.TR02
When encryption keys are used, the service MUST rotate active keys
within 180 days of issuance.
tlp-amber
CCC.Core.C11.TR03
When encrypting data, the service MUST verify that
customer-managed encryption keys (CMEKs) are used.
tlp-amber
tlp-red
CCC.Core.C11.TR04
When encryption keys are accessed, the service MUST verify that
access to encryption keys is restricted to authorized personnel
and services, following the principle of least privilege.
tlp-clear
tlp-green
tlp-amber
tlp-red
CCC.Core.C11.TR05
When encryption keys are used, the service MUST rotate active keys
within 365 days of issuance.
tlp-clear
tlp-green
CCC.Core.C11.TR06
When encryption keys are used, the service MUST rotate active keys
within 90 days of issuance.