Published on: 12/3/2025
In the Centers for Medicare & Medicaid Services (CMS) cloud environment, encryption cannot live in silos. Network encryption protects data in transit, and data encryption secures it at rest; only when these domains are linked, monitored, and validated programmatically can they drive true Zero Trust maturity together.
The CMS ZTMF-Terraform KMS Alerts repository makes that vision a reality by quickly terraforming the five most critical Key Management Service (KMS) alerts for fast, reliable deployment into CMS environments:
- Unauthorized access
- Key policy changes
- Scheduled deletions
- Untrusted region usage
- Key rotation
Visit the ZTMF-Terraform KMS Alerts repository in CMS GitHub (requires CMS login).
Why linking encryption matters
Network encryption safeguards data from interception and tampering as it travels between systems, APIs, or regions. This includes technologies like Transport Layer Security (TLS), Virtual Private Network (VPN) tunnels, and secure communication between services. Data encryption, on the other hand, protects the confidentiality and integrity of stored data, often using KMS to enforce it.
Individually, these practices reduce risk. But when they are integrated into a programmatically enforced framework, they enable us to:
- Detect unauthorized or suspicious activity instantly
- Prevent misconfigurations from weakening our security posture
- Meet compliance standards through evidence-based monitoring
- Progress from a traditional Zero Trust stance to a more advanced maturity
Introducing the KMS alerts repo for CMS teams
To help teams operationalize these concepts, we created the ZTMF-Terraform KMS Alerts repository (requires CMS login).
This educational repository provides a comprehensive set of Terraform configurations for monitoring and alerting on AWS Key Management Service (KMS) activities. It demonstrates best practices for detecting potentially suspicious or unauthorized KMS operations through CloudWatch and Config metrics and alarms.
Key features of the KMS alerts repo
- Security monitoring: Leverage AWS CloudTrail and CloudWatch for unauthorized access attempts, key policy changes, and scheduled key deletions.
- Regional compliance: CloudWatch alerts when KMS operations occur outside trusted regions.
- Automated remediation: Lambda function automatically enables key rotation via AWS Config.
- Immediate notifications: SNS-based alerting keeps security teams informed in real time.
- Centralized config: Terraform locals for easy scaling across multiple accounts and regions.
Repository structure
File name | Function |
locals.tf | #Centralized configuration values |
shared_resources.tf | #Shared SNS topic and subscriptions |
enable_key_rotation.tf | #Lambda for automatic key rotation remediation |
key_policy_change.tf | #Alert for KMS key policy modifications |
kms_untrusted_region.tf | #Alert for KMS usage in untrusted regions |
schedule_key_deletion.tf | #Alert for scheduled key deletions |
unauthorized_kms_access.tf | #Alert for unauthorized KMS access attempts |
Makefile | #Development workflow automation |
How this improves Zero Trust maturity
Zero Trust emphasizes ongoing validation: never trust, always verify. Both the Traffic Encryption function and the Data Encryption function require rotation of keys and general cryptographic agility to meet the Advanced maturity level. Linking network and data encryption also offers the following enhancements:
- Visibility: via continuous monitoring of KMS operations and logging anomalies
- Control enforcement: via network encryption securing data in transit and data encryption securing it at rest
- Programmatic checks: via AWS Config rules and Lambda functions that remediate issues in near real time
- Response automation: via AWS Config rules and Lambda functions that remediate issues in near real time
The power of pairing
By pairing network encryption enforcement with data encryption monitoring and alerting, we can move beyond static compliance and into continuous Zero Trust validation.
- Network encryption ensures traffic confidentiality
- Data encryption ensures stored data confidentiality
- KMS alerts tie them together programmatically for our CMS ADOs
This layered approach enhances your Key Management Plan (KM Plan) and demonstrates maturity that can be audited and validated.
What to do next
For CMS teams interested in achieving higher Zero Trust maturity in the cloud, the path forward is clear:
1. Check your environment — is encryption integrated or operating separately?
2. Use the ZTMF-Terraform KMS Alerts repo to enforce your KM Plan automatically.
3. Automate remediation whenever possible to minimize manual work and human mistakes.
Conclusion
For CMS, mission data protection isn’t just about controls — it’s about confidence. When network and data encryption converge and are continuously validated, security evolves into a measurable, automated force that propels CMS forward on its Zero Trust journey.
About the author
William Hardison, M.S. is a Senior Compliance Engineer for the Zero Trust Team at Centers for Medicare & Medicaid Services (CMS). He has deep expertise in building secure, scalable, and compliant cloud environments across AWS, Azure, and multi-cloud infrastructures.
