DS-003

Customer-Managed Encryption Keys (CMK)

HIGHData SecurityHigh Complexity4-8 hours

Description

Use customer-managed keys (CMK) for encryption at rest to maintain full control over key lifecycle, rotation, and revocation — required for highly regulated environments such as HIPAA and PCI-DSS

Prerequisites

→Platform-managed encryption verified (DS-001)
→Cloud KMS service configured (AWS KMS / Azure Key Vault / GCP Cloud KMS)
→Key management policy defined (rotation, access, revocation)
→Understanding of Databricks managed services and notebook storage encryption

Impact Analysis

Security

Improves security posture

95%

Compliance

Meets compliance requirements

95%

Complexity

Implementation complexity

65%

Cost

Resource cost impact

30%

Required Permissions

Account AdminCloud KMS Admin

Related Controls

DS-002

CRITICAL

Enable Encryption in Transit

Data Security

DS-001

CRITICAL

Encryption at Rest (Platform-Managed)

Data Security

← Back to Controls Browse Problems →