KMS crypto keys should be rotated at least once every 365 days¶
Description¶
Key rotation is a security best practice that helps reduce the potential impact of a compromised key, as users cannot use deprecated/older keys.
Remediation Steps¶
Google Cloud Console¶
Navigate to Key Management
Select your key and click Edit Rotation Period.
From the Rotation Period drop-down, select 365.
From the Starting on drop-down, enter today’s date.
Click Save.
gcloud CLI¶
To rotate your key every 365 days:
gcloud kms keys update key-name \
--location [your-location] \
--keyring [your-key-ring-name] \
--rotation-period 365 \
--next-rotation-time [today's date]
Terraform¶
Ensure that the rotation_period is set to at least 365 days (specified in seconds):
rotation_period = "31536000s"
Example¶
resource "google_kms_crypto_key" "example-key" {
name = "crypto-key-example"
key_ring = google_kms_key_ring.keyring.id
rotation_period = "31536000s"
}