Overview
Encryption Key Management is the process of creating, storing, rotating, and restricting access to cryptographic keys used to encrypt sensitive systems and data. This process ensures encryption keys are protected against unauthorized access and misuse in accordance with SOC 2 CC6 access control requirements.
Step-by-Step Process
Define key ownership and scope
The Engineering Lead identifies which systems, databases, and services require encryption keys and assigns a named key owner for each key set. This includes documenting whether keys are used for data-at-rest, data-in-transit, or application-level encryption. The output is an approved key inventory with owners and usage defined.
Role: Engineering Lead
Create encryption keys in approved key management system
An engineer creates encryption keys using the organization-approved key management tool (AWS KMS, Azure Key Vault, or HashiCorp Vault). Keys must use approved algorithms (e.g., AES-256, RSA-2048) and be created with key material managed by the platform where possible. The output is newly created keys with unique identifiers.
Role: Engineering Lead
Configure key access controls
The Engineering Lead configures role-based access controls to restrict key usage to approved services and users only. Permissions must follow least privilege and exclude human users where service roles can be used. The output is enforced IAM or policy-based access restrictions on each key.
Role: Engineering Lead
Enable key rotation settings
Automatic key rotation is enabled where supported, or a manual rotation schedule is defined if automation is not available. Rotation frequency must align with organizational policy and SOC 2 expectations (at least annually). The output is documented and configured key rotation settings.
Role: Engineering Lead
Log and monitor key usage
Logging is enabled to capture all key usage events, including encrypt, decrypt, and administrative actions. Logs are integrated with centralized logging or SIEM tools for monitoring. The output is auditable logs showing key access and usage activity.
Role: Security Analyst
Document key management procedures
The Engineering Lead documents how keys are created, rotated, revoked, and deleted, including references to the specific tools used. This documentation is stored in the company’s policy repository and reviewed annually. The output is an approved key management procedure document.
Role: Engineering Lead
Perform annual access and configuration review
At least annually, the Security Analyst reviews key access permissions, rotation status, and logging configurations. Any unauthorized access or misconfiguration is remediated and documented. The output is a completed annual review record with findings and remediation notes.
Role: Security Analyst
What You Need Before Starting
- Approved encryption and key management policy
- Access to AWS, Azure, or HashiCorp Vault administrative consoles
- List of systems and data requiring encryption
- IAM or identity provider role definitions
Evidence Your Auditor Expects
- Dated screenshot of encryption key configuration showing key ID and rotation status
- Exported access policy or IAM role permissions attached to keys with timestamp
- Key usage or audit log extract covering a defined date range
- Annual key access review document signed and dated by reviewer
How This Looks In Your Tools
AWS KMS
Log in to the AWS Management Console and navigate to Services > Security, Identity, & Compliance > Key Management Service (KMS). Select Customer managed keys, click Create key, choose Symmetric, and follow the wizard to define key usage and administrators.
After creation, open the key and go to the Key rotation tab to enable automatic rotation. Then navigate to the Key policy and Grants sections to restrict access to specific IAM roles or services. Ensure AWS CloudTrail is enabled by going to Services > CloudTrail and verifying KMS events are being logged.
HashiCorp Vault
Log in to the Vault UI and navigate to Secrets Engines > Enable new engine if not already configured. Enable the Transit or KV secrets engine depending on encryption use case, then create a new key via Create key, selecting the appropriate key type and rotation settings.
Configure access policies by navigating to Access > Policies and assigning least-privilege capabilities to application roles. Verify audit logging is enabled by navigating to Access > Audit Devices and confirming logs are being sent to an approved destination.
Azure Key Vault
Sign in to the Azure Portal and navigate to Key Vaults, then select the appropriate vault or create a new one. Go to Keys > Generate/Import and create a new key, selecting the required key type and size.
Configure access by navigating to Access configuration or Access policies and assigning roles such as Key Vault Crypto User to specific managed identities. Enable diagnostic logging by going to Monitoring > Diagnostic settings and sending logs to Log Analytics or a storage account.
Common Audit Findings
- Key rotation not enabled
- Auditors commonly find that automatic rotation is disabled or undocumented. Prevent this by enabling built-in rotation where available and documenting manual rotation schedules with clear dates.
- Overly permissive key access
- Keys are often accessible by too many users or roles due to broad IAM policies. Apply least-privilege access and review permissions annually to prevent this issue.
- Missing key usage logs
- Organizations may fail to enable or retain key usage logs. Ensure logging is enabled and retained for the required period to provide audit evidence.
- No documented key owner
- Auditors may note that keys lack clear ownership, making accountability unclear. Assign and document a named key owner for every encryption key.