KMS keys should be rotated every 90 days or less

Description

Remediation Steps

KMS keys should be rotated frequently because rotation helps reduce the potential impact of a compromised key as users cannot use the old key to access the data.

Google Cloud Console

• Navigate to KMS.

• Select the specific key ring, click on the right-side pop up, and click Edit rotation period.

• Select a new rotation period in days which should be less than 90 and then choose Starting on date.

gcloud CLI

• Update and schedule rotation by ROTATION_PERIOD and NEXT_ROTATION_TIME for each key:

  • gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next-rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD

Documentation Links

Runtime

• Key rotation

• Re-encrypting data

• CLI: gcloud kms keys update