⚠️ A major risk when using customer-managed KMS keys is that someone deletes the key, and thus, all data is encrypted with the key. How to mitigate the risk?
1️⃣ AWS does not allow to delete keys immediately but enforces a waiting period of 7 to 30 days.
2️⃣ Customers use key policies, IAM policies, or SCPs to restrict access to the kms:ScheduleKeyDeletion action.
But there is another risk of losing access to a key: modifying the key policy. (1/2)
The course Stratospheric - From Zero to Production with Spring Boot and AWS by Philip Riecks, Björn Wilmsmann and Tom Hombergs is on sale on Leanpub! Its suggested price is $249.00; get it for $174.30 with this coupon: https://leanpub.com/sh/io3gzbiI#AmazonWebServices#Java