1 Answer
- Newest
- Most votes
- Most comments
1
Hi Eladio
No, directly backing up the AWS KMS key material, including the Default EBS KMS key, is not allowed for security reasons. The entire concept of KMS revolves around securing your keys and ensuring they are not accessible in plain text.
If you suspect an account takeover, follow these steps:
- Secure your Root Account: Immediately rotate your root account credentials and enable MFA.
- Identify compromised resources: Use AWS CloudTrail to identify any unusual API calls or access attempts.
- Revoke access: Revoke access from any unauthorized users or IAM roles.
If you accidentally delete a KMS key, AWS offers limited options for recovery depending on the type of key and how long ago it was deleted. Refer to the AWS documentation for specific details: https://docs.aws.amazon.com/kms/
- AWS KMS Best Practices: https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/kms.html
- IAM Policies for KMS: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
- Restoring a Deleted KMS Key: https://docs.aws.amazon.com/kms/
Relevant content
- asked 5 years ago
- asked 7 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago