This event detects the creation of a new AWS customer master key.
Why this Event is Important
A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data. Because this is one of the primary keys to encrypt or decrypt data in the environment, it is important to safeguard the key material. If an attacker creates a new CMK, it would give the attacker the key material to decrypt data in your AWS environment.
Search the audit logs to ensure only authorized individuals have access to create and delete the CMKs. Where possible, ensure secure key material that aligns with the organization standards is used. Search for details about whether it is a customer-managed CMK or an AWS-managed CMK.
Ensure that all the CMK-related activities are managed by a system administrator with MFA enabled.