KMS crypto keys should be rotated at least once every 365 days


Key rotation is a security best practice that helps reduce the potential impact of a compromised key, as users cannot use deprecated/older keys.

Remediation Steps

Google Cloud Console

  • Navigate to Key Management

  • Select your key and click Edit Rotation Period.

  • From the Rotation Period drop-down, select 365.

  • From the Starting on drop-down, enter today’s date.

  • Click Save.

gcloud CLI

  • To rotate your key every 365 days:

gcloud kms keys update key-name \
    --location [your-location] \
    --keyring [your-key-ring-name] \
    --rotation-period 365 \
    --next-rotation-time [today's date]


  • Ensure that the rotation_period is set to at least 365 days (specified in seconds):

    • rotation_period = "31536000s"


resource "google_kms_crypto_key" "example-key" {
  name            = "crypto-key-example"
  key_ring        =
  rotation_period = "31536000s"