KMS crypto keys should be rotated at least once every 365 days

Description

Key rotation is a security best practice that helps reduce the potential impact of a compromised key, as users cannot use deprecated/older keys.

Remediation Steps

Google Cloud Console

  • Navigate to Key Management

  • Select your key and click Edit Rotation Period.

  • From the Rotation Period drop-down, select 365.

  • From the Starting on drop-down, enter today’s date.

  • Click Save.

gcloud CLI

  • To rotate your key every 365 days:

gcloud kms keys update key-name \
    --location [your-location] \
    --keyring [your-key-ring-name] \
    --rotation-period 365 \
    --next-rotation-time [today's date]

Terraform

  • Ensure that the rotation_period is set to at least 365 days (specified in seconds):

    • rotation_period = "31536000s"

Example

resource "google_kms_crypto_key" "example-key" {
  name            = "crypto-key-example"
  key_ring        = google_kms_key_ring.keyring.id
  rotation_period = "31536000s"
}