KMS CMK rotation should be enabled

Description

It is recommended that users enable rotation for the customer created AWS Customer Master Keys (CMK). Rotating encryption keys helps reduce the potential impact of a compromised key as users cannot use the old key to access the data.

Remediation Steps

AWS Console

  • Navigate to KMS.

  • In the left navigation, select Customer managed keys.

  • Select the customer created master key (CMK).

  • Select Key rotation and check the Automatically rotate this CMK every year.

  • Click Save.

AWS CLI

  • Enable Key Rotation:

    • aws kms enable-key-rotation --key-id <kms_key_id>

CloudFormation

JSON

{
  "Properties": {
    "EnableKeyRotation": true
  }
}
JSON Example Configuration
{
  "Type": "AWS::KMS::Key",
  "Properties": {
    "EnableKeyRotation": true
  }
  # other required fields here
}

YAML

Properties:
  EnableKeyRotation: true
YAML Example Configuration
Type: AWS::KMS::Key
Properties:
  EnableKeyRotation: true
# other required fields here

Terraform

  • Ensure that the aws_kms_key enable_key_rotation field is set to “true”.

Example Configuration

resource "aws_kms_key" "example" {
  enable_key_rotation = true
  # other required fields here
}