WAF-SOV-050 – Key Ownership & Management Defined

Pillar: Sovereign | Severity: 🔴 Critical | Category: Key Sovereignty | Automatable: High

Description

The key ownership model MUST be explicitly defined and technically enforced for all data classes: Provider-Managed Keys (PMK), Customer-Managed Keys (CMK), Bring Your Own Key (BYOK), or Hold Your Own Key (HYOK).

Key rotation and deletion MUST be governed by documented procedures. All data at rest MUST be encrypted; the use of provider-managed default keys requires explicit approval for sensitive data classes.

Rationale

When a cloud provider controls encryption keys, they theoretically have the ability to decrypt data — regardless of the geographical location of the data. True data sovereignty requires sovereignty over the keys that protect that data.

CMK/BYOK ensures that even if a provider is legally compelled to hand over data, it remains cryptographically inaccessible without the customer-managed key material. Key rotation and secure deletion are critical for limiting the blast radius of a key compromise.

Threat Context

Risk	Description
Provider-controlled keys	Provider or law enforcement can access data via PMK keys.
Unencrypted data at rest	Storage services use provider-default encryption without a CMK.
Key material in source code	Key material exposed in Terraform state, environment variables, or application code.
Disabled key rotation	Missing automatic key rotation increases the blast radius of a key compromise.
Missing deletion policy	Outdated key material persists after data deletion; GDPR Art. 17 cannot be fulfilled.

Risk

Description

Provider-controlled keys

Provider or law enforcement can access data via PMK keys.

Unencrypted data at rest

Storage services use provider-default encryption without a CMK.

Key material in source code

Key material exposed in Terraform state, environment variables, or application code.

Disabled key rotation

Missing automatic key rotation increases the blast radius of a key compromise.

Missing deletion policy

Outdated key material persists after data deletion; GDPR Art. 17 cannot be fulfilled.

Regulatory Mapping

Framework	Controls
GDPR	Art. 32 – Security of processing (encryption); Art. 17 – Right to erasure (cryptographic erasure via key deletion)
BSI C5:2020	CRY-01 – Cryptography policy; CRY-02 – Key management
EUCS (ENISA)	CRY-01 – Encryption at rest; CRY-03 – Key Management; SOV-03 – Customer key control
ISO 27001:2022	A.8.24 – Use of cryptography; A.8.25 – Secure development lifecycle
GAIA-X	Sovereign Cloud – Cryptographic self-determination

Framework

Controls

GDPR

Art. 32 – Security of processing (encryption); Art. 17 – Right to erasure (cryptographic erasure via key deletion)

BSI C5:2020

CRY-01 – Cryptography policy; CRY-02 – Key management

EUCS (ENISA)

CRY-01 – Encryption at rest; CRY-03 – Key Management; SOV-03 – Customer key control

ISO 27001:2022

A.8.24 – Use of cryptography; A.8.25 – Secure development lifecycle

GAIA-X

Sovereign Cloud – Cryptographic self-determination

Requirement

The key ownership model MUST be defined per data class in the data residency policy
For PII, health, and financial data: CMK or BYOK is mandatory; PMK explicitly prohibited
enable_key_rotation = true MUST be set on all KMS keys
deletion_window_in_days MUST be explicitly set to at least 14 days
S3 buckets with sovereign data MUST use aws:kms (not AES256)
All EBS volumes and RDS instances MUST be encrypted
Key material MUST NOT be stored in Terraform state, environment variables, or code

Implementation Guidance

Define key ownership model per data class: Specify in the data residency policy which data classes require CMK, BYOK, or PMK.
CMK for sensitive data: Create aws_kms_key / azurerm_key_vault_key / google_kms_crypto_key with enable_key_rotation = true.
BYOK/HYOK for critical data: Store key material in an HSM outside cloud provider control (e.g. Thales, Utimaco).
Set deletion window: Enforce deletion_window_in_days >= 14 to prevent accidental key destruction.
Protect key material: Never store in Terraform state, environment variables, or application code.
IAM key policies: Restrict key access to required services and principals.
Key access logging: Enable CloudTrail for KMS; configure alerts for unusual decryption patterns.
Test cryptographic erasure: Test GDPR Art. 17 compliance by deleting the key and verifying data inaccessibility.

Maturity Levels

Level	Name	Criteria
1	Encryption with provider-managed keys	Data at rest is encrypted; provider-managed keys used as default.
2	CMK for sensitive data classes	KMS CMKs for PII, financial, and health data; key rotation enabled.
3	Full key sovereignty posture	No PMK for sensitive data classes; key policies restrict access to required principals; key deletion policy defined and tested.
4	BYOK/HYOK for critical data with HSM backing	Critical data classes use BYOK or HYOK with external HSM; key material never exposed to cloud provider; key access monitoring with anomaly detection.
5	Automated key governance with cryptographic erasure capability	Cryptographic erasure tested for GDPR Art. 17; fully automated and auditable key lifecycle; HSM key ceremonies annually documented and audited.

Level

Name

Criteria

Encryption with provider-managed keys

Data at rest is encrypted; provider-managed keys used as default.

CMK for sensitive data classes

KMS CMKs for PII, financial, and health data; key rotation enabled.

Full key sovereignty posture

No PMK for sensitive data classes; key policies restrict access to required principals; key deletion policy defined and tested.

BYOK/HYOK for critical data with HSM backing

Critical data classes use BYOK or HYOK with external HSM; key material never exposed to cloud provider; key access monitoring with anomaly detection.

Automated key governance with cryptographic erasure capability

Cryptographic erasure tested for GDPR Art. 17; fully automated and auditable key lifecycle; HSM key ceremonies annually documented and audited.

Terraform Checks

waf-sov-050.tf.aws.kms-key-rotation-enabled

Checks: KMS keys must set enable_key_rotation = true.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_kms_key" "sovereign" { description = "Sovereign data encryption key" enable_key_rotation = true deletion_window_in_days = 30 policy = data.aws_iam_policy_document.kms_policy.json }`	`resource "aws_kms_key" "data" { description = "Data key" # ❌ enable_key_rotation defaults to false }`

resource "aws_kms_key" "sovereign" {
  description             = "Sovereign data encryption key"
  enable_key_rotation     = true
  deletion_window_in_days = 30
  policy = data.aws_iam_policy_document.kms_policy.json
}

resource "aws_kms_key" "data" {
  description = "Data key"
  # ❌ enable_key_rotation defaults to false
}

waf-sov-050.tf.aws.kms-key-deletion-window

Checks: deletion_window_in_days must be explicitly set and >= 14 days.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_kms_key" "sovereign" { enable_key_rotation = true deletion_window_in_days = 30 # ✅ >= 14 }`	`resource "aws_kms_key" "data" { deletion_window_in_days = 7 # ❌ Too short – no sufficient review window }`

resource "aws_kms_key" "sovereign" {
  enable_key_rotation     = true
  deletion_window_in_days = 30  # ✅ >= 14
}

resource "aws_kms_key" "data" {
  deletion_window_in_days = 7
  # ❌ Too short – no sufficient review window
}

waf-sov-050.tf.aws.s3-bucket-kms-encryption

Checks: S3 buckets with sovereign data must use aws:kms (not AES256).

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_s3_bucket_server_side_encryption_configuration" "sovereign" { bucket = aws_s3_bucket.data.id rule { apply_server_side_encryption_by_default { sse_algorithm = "aws:kms" kms_master_key_id = aws_kms_key.sovereign.arn } bucket_key_enabled = true } }`	`resource "aws_s3_bucket_server_side_encryption_configuration" "data" { bucket = aws_s3_bucket.data.id rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" # ❌ Provider-Managed Key – not sovereign } } }`

resource "aws_s3_bucket_server_side_encryption_configuration" "sovereign" {
  bucket = aws_s3_bucket.data.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.sovereign.arn
    }
    bucket_key_enabled = true
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
  bucket = aws_s3_bucket.data.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
      # ❌ Provider-Managed Key – not sovereign
    }
  }
}

waf-sov-050.tf.aws.ebs-volume-encrypted

Checks: EBS volumes must set encrypted = true.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_ebs_volume" "data" { availability_zone = "eu-central-1a" size = 100 encrypted = true kms_key_id = aws_kms_key.sovereign.arn }`	`resource "aws_ebs_volume" "data" { availability_zone = "eu-central-1a" size = 100 # ❌ encrypted defaults to false }`

resource "aws_ebs_volume" "data" {
  availability_zone = "eu-central-1a"
  size              = 100
  encrypted         = true
  kms_key_id        = aws_kms_key.sovereign.arn
}

resource "aws_ebs_volume" "data" {
  availability_zone = "eu-central-1a"
  size              = 100
  # ❌ encrypted defaults to false
}

waf-sov-050.tf.aws.rds-storage-encrypted

Checks: RDS instances must set storage_encrypted = true.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "aws_db_instance" "sovereign" { storage_encrypted = true kms_key_id = aws_kms_key.rds.arn # ... }`	`resource "aws_db_instance" "db" { # ❌ storage_encrypted defaults to false }`

resource "aws_db_instance" "sovereign" {
  storage_encrypted = true
  kms_key_id        = aws_kms_key.rds.arn
  # ...
}

resource "aws_db_instance" "db" {
  # ❌ storage_encrypted defaults to false
}

waf-sov-050.tf.azurerm.key-vault-soft-delete

Checks: Azure Key Vault must have soft delete and purge protection enabled.

Compliant Non-Compliant

Compliant	Non-Compliant
`resource "azurerm_key_vault" "sovereign" { name = "kv-sovereign-prod" location = var.azure_location resource_group_name = azurerm_resource_group.main.name sku_name = "premium" soft_delete_retention_days = 90 purge_protection_enabled = true # ✅ }`	`resource "azurerm_key_vault" "kv" { name = "kv-prod" sku_name = "standard" # ❌ purge_protection_enabled defaults to false }`

resource "azurerm_key_vault" "sovereign" {
  name                       = "kv-sovereign-prod"
  location                   = var.azure_location
  resource_group_name        = azurerm_resource_group.main.name
  sku_name                   = "premium"
  soft_delete_retention_days = 90
  purge_protection_enabled   = true  # ✅
}

resource "azurerm_key_vault" "kv" {
  name     = "kv-prod"
  sku_name = "standard"
  # ❌ purge_protection_enabled defaults to false
}

Evidence

Type Required Description

Type	Required	Description
IaC	✅ Required	KMS key resources with `enable_key_rotation = true` and explicit deletion window.
IaC	✅ Required	Encryption configurations for all data resources (S3, RDS, EBS) with CMK ARN reference.
Config	Optional	KMS key policy export with restricted principal access.
Process	Optional	Key rotation schedule and deletion procedure documentation.
Logs	Optional	CloudTrail/KMS access logs with key usage patterns.

IaC

✅ Required

KMS key resources with enable_key_rotation = true and explicit deletion window.

IaC

✅ Required

Encryption configurations for all data resources (S3, RDS, EBS) with CMK ARN reference.

Config

Optional

KMS key policy export with restricted principal access.

Process

Optional

Key rotation schedule and deletion procedure documentation.

Logs

Optional

CloudTrail/KMS access logs with key usage patterns.

Related Controls

Best Practice

Implement Key Sovereignty →