As part of securing your AWS account, make sure you have strict controls over who can create custom encryption keys for AWS resources. A bad actor with access to your account can create their own encryption keys, encrypt your AWS resources and later hold them for ransom. This protection should be part of a larger security policy that limits access to resources using IAM and specific event notifications for AWS key generation using Cloudwatch and Lambda.
Leave a Comment