Objective:Ensure that encryption keys are managed securely by enforcing
the use of approved algorithms, regular key rotation, and
customer-managed encryption keys (CMEKs).
Publication of events, metrics, and runtime logs may be disabled, leading
to a lack of expected security and operational information being shared.
This can impact system availability by delaying the detection of
incidents while also impacting system design decisions and enforcement of
operational thresholds, such as autoscaling or cost management.
When encryption keys are used, the service MUST verify that
all encryption keys use the latest industry-standard cryptographic
algorithms.
tlp-amber
tlp-red
CCC.Core.CN11.AR02
When encryption keys are used, the service MUST rotate active keys
within 180 days of issuance.
tlp-amber
CCC.Core.CN11.AR03
When encrypting data, the service MUST verify that
customer-managed encryption keys (CMEKs) are used.
tlp-amber
tlp-red
CCC.Core.CN11.AR04
When encryption keys are accessed, the service MUST verify that
access to encryption keys is restricted to authorized personnel
and services, following the principle of least privilege.
tlp-clear
tlp-green
tlp-amber
tlp-red
CCC.Core.CN11.AR05
When encryption keys are used, the service MUST rotate active keys
within 365 days of issuance.
tlp-clear
tlp-green
CCC.Core.CN11.AR06
When encryption keys are used, the service MUST rotate active keys
within 90 days of issuance.