KMS CMK rotation should be enabled¶
Description¶
It is recommended that users enable rotation for the customer created AWS Customer Master Keys (CMK). Rotating encryption keys helps reduce the potential impact of a compromised key as users cannot use the old key to access the data.
Remediation Steps¶
AWS Console¶
Navigate to KMS.
In the left navigation, select Customer managed keys.
Select the customer created master key (CMK).
Select Key rotation and check the Automatically rotate this CMK every year.
Click Save.
AWS CLI¶
Enable Key Rotation:
aws kms enable-key-rotation --key-id <kms_key_id>
CloudFormation¶
JSON¶
Ensure that an AWS::KMS::Key resource has the EnableKeyRotation field set to
true
:
{
"Properties": {
"EnableKeyRotation": true
}
}
JSON Example Configuration¶
{
"Type": "AWS::KMS::Key",
"Properties": {
"EnableKeyRotation": true
}
# other required fields here
}
YAML¶
Ensure that an AWS::KMS::Key resource has the EnableKeyRotation field set to
true
:
Properties:
EnableKeyRotation: true
YAML Example Configuration¶
Type: AWS::KMS::Key
Properties:
EnableKeyRotation: true
# other required fields here
Terraform¶
Ensure that the aws_kms_key
enable_key_rotation
field is set to “true”.
Example Configuration¶
resource "aws_kms_key" "example" {
enable_key_rotation = true
# other required fields here
}