Ensure rotation for customer created symmetric CMKs is enabled
Risk Level: High
Cloud Entity: AWS Key Management Service (KMS)
CloudGuard Rule ID: D9.AWS.CRY.77
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
KMS where origin!='AWS_CLOUDHSM' and isCustomerManaged=true and deletionDate<=0 and isSymmetricKey=true should have rotationStatus=trueREMEDIATION
From Portal
Use following steps to enable KMS key rotation.
- Open the AWS KMS console at https://console.aws.amazon.com/kms.
- To change the AWS Region, use the Region selector in the upper-right corner of the page.
- Choose Customer managed keys.
- Choose the alias of the key to update in the Alias column.
- Choose Key rotation.
- Select Automatically rotate this KMS key every year and then choose Save.
From TF
resource "aws_kms_key" "kms_key_1" {
...
is_enabled = true
+ enable_key_rotation = true
}From Command Line
Run the following command to enable key rotation:
aws kms enable-key-rotation --key-id KMS_KEY_IDReferences
- https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/enable-key-rotation.html
AWS Key Management Service (KMS)
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses FIPS 140-2 validated hardware security modules to protect the security of your keys. AWS Key Management Service is integrated with most other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
Compliance Frameworks
- AWS CIS Foundations v. 2.0.0
- AWS CloudGuard Best Practices
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated 7 months ago