Around 7:30, it says that Config can be turned on and monitor KMS.
Currently, KMS keys are not a supported resource type in AWS Config, therefore it won’t monitor configuration changes in these resources.
- AWS Config Supported AWS Resource Types and Resource Relationships
https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html
UPDATE: AWS recently added support for KMS keys, so the link above does show KMS keys as a supported resource now.
"You can view the metadata associated with an AWS KMS key and track changes to key policies, tags, and other configuration attributes associated with the AWS KMS key."
- AWS Config Adds Support for AWS Key Management Service and Amazon Elasticsearch Service
1 Answers
There are also some managed rules available:
https://docs.aws.amazon.com/config/latest/developerguide/kms-cmk-not-scheduled-for-deletion.html
https://docs.aws.amazon.com/config/latest/developerguide/cmk-backing-key-rotation-enabled.html
We are currently using the compliance check for key rotation. The other managed rule for scheduled deletion in combination with compliance change notifications (SNS) will notify you, when someone scheduled a key for deletion.
Although Config does not currently monitor KMS keys, you can refer to the following AWS doc, if you wish to monitor your KMS keys and record changes:
https://docs.aws.amazon.com/kms/latest/developerguide/monitoring-overview.html#monitoring-tools