Key Management Errors
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A2:2021 Cryptographic Failures |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Medium |
Description#
The OpenSearch Serverless resource is configured to use AWS-owned encryption keys instead of Customer Managed Keys (CMKs) for encrypting data at rest. This limits control over key management, such as access permissions and key rotation.
Impact#
Without CMKs, your organization cannot control who can access or rotate the encryption keys, potentially exposing sensitive OpenSearch data if AWS keys are compromised or misused. This reduces compliance and may increase risk in regulated environments.