Compliance Requirements

Architecture

Implement encryption controls that satisfy common compliance frameworks:

• PCI-DSS for payment card data protection
• HIPAA for healthcare data encryption
• SOC 2 for security and availability controls
• GDPR for personal data protection

When to Use

This pattern is ideal when you need:

• Customer-managed keys instead of AWS-managed keys
• Documented key rotation policies
• Audit trails for key usage and management
• Cross-account key sharing with specific principals
• Key policies that enforce separation of duties

Key Controls

Automatic Rotation

Enable automatic annual rotation to meet compliance requirements:

module "compliant_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "1.0.0"

  alias              = "alias/pci-encryption"
  description        = "PCI-DSS compliant encryption key"
  enable_key_rotation = true
}

Audit Integration

All key operations are automatically logged to CloudTrail:

• Key creation and deletion
• Encrypt and decrypt operations
• Policy changes
• Grant creation

Considerations

• Key deletion has a mandatory waiting period (7-30 days)
• Disabled keys cannot be used for encryption but existing data remains accessible
• Key policies should follow least-privilege principles