Key management

Amazon CloudWatch key – used to encrypt CloudWatch Logs groups created by the solution

Amazon S3 key – used to encrypt Amazon S3 buckets created by the solution

AWS Lambda key – used to encrypt environment variables for Lambda functions created by the solution

AWS Systems Manager Session Manager key (optional) – used to encrypt Session Manager sessions if Session Manager logging is activated in the global-config.yaml file

Amazon Elastic Block Store (Amazon EBS) key (optional) – used for default encryption of Amazon EBS volumes if activated in the security-config.yaml file

Installer key – created by AWSAccelerator-InstallerStack to activate encryption at rest for Installer pipeline dependencies

Management key – created by AWSAccelerator-PipelineStack to activate encryption at rest for Core pipeline dependencies

AWS Backup key (optional) – used to activate encryption at rest for AWS Backup vault if configured in the organization-config.yaml file

Central logs key – used to encrypt the aws-accelerator-central-logs Amazon S3 bucket

Log replication key – used to encrypt a Kinesis Data Stream used as a destination for log replication from CloudWatch Logs to Amazon S3

Accelerator KMS key – used by the entire organization to decrypt AWS Systems Manager parameters (SSM parameters) stored centrally in the Audit account

Audit S3 key – used to encrypt authorize-created CloudTrail Amazon S3 buckets and Audit Manager publishing bucket, if configured

Amazon SNS key (optional) – used to encrypt Amazon SNS topics created to alert on security events, if configured