KMS CMK rotation should be enabled


It is recommended that users enable rotation for the customer created AWS Customer Master Keys (CMK). Rotating encryption keys helps reduce the potential impact of a compromised key as users cannot use the old key to access the data.

Console Remediation Steps

  • Navigate to IAM.

  • In the left navigation, select Encryption keys.

  • Select the customer created master key (CMK).

  • Select Key rotation and check the Automatically rotate this CMK every year.

  • Click Save.

CLI Remediation Steps

  • Enable Key Rotation:

    • aws kms enable-key-rotation --key-id <kms_key_id>