KMS CMK rotation should be enabled


It is recommended that users enable rotation for the customer created AWS Customer Master Keys (CMK). Rotating encryption keys helps reduce the potential impact of a compromised key as users cannot use the old key to access the data.

Remediation Steps

AWS Console

  • Navigate to KMS.

  • In the left navigation, select Customer managed keys.

  • Select the customer created master key (CMK).

  • Select Key rotation and check the Automatically rotate this CMK every year.

  • Click Save.


  • Enable Key Rotation:

    • aws kms enable-key-rotation --key-id <kms_key_id>


  • Ensure that the aws_kms_key enable_key_rotation field is set to “true”.

Example Configuration

resource "aws_kms_key" "example" {
  enable_key_rotation = true
  # other required fields here