KMS keys should be rotated every 90 days or less


Remediation Steps

KMS keys should be rotated frequently because rotation helps reduce the potential impact of a compromised key as users cannot use the old key to access the data.

Google Cloud Console

  • Navigate to KMS.

  • Select the specific key ring, click on the right-side pop up, and click Edit rotation period.

  • Select a new rotation period in days which should be less than 90 and then choose Starting on date.

gcloud CLI

  • Update and schedule rotation by ROTATION_PERIOD and NEXT_ROTATION_TIME for each key:

    • gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next-rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD