Ensure rotation for customer created symmetric CMKs is enabled

AWS KMS enables customers to rotate the backing key, which is key material stored in AWS KMS and is tied to the key ID of the KMS key. It's the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all previous backing keys so that decryption of encrypted data can take place transparently. Rotating encryption keys helps reduce the potential impact of a compromised key because data encrypted with a new key can't be accessed with a previous key that might have been exposed.

Risk Level: High
Cloud Entity: AWS Key Management Service (KMS)
CloudGuard Rule ID: D9.AWS.CRY.77
Covered by Spectral: No
Category: Security, Identity, & Compliance


KMS where origin!='AWS_CLOUDHSM' and isCustomerManaged=true and deletionDate<=0 and isSymmetricKey=true should have rotationStatus=true


From Portal
Use following steps to enable KMS key rotation.

  1. Open the AWS KMS console at https://console.aws.amazon.com/kms.
  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
  3. Choose Customer managed keys.
  4. Choose the alias of the key to update in the Alias column.
  5. Choose Key rotation.
  6. Select Automatically rotate this KMS key every year and then choose Save.

From TF

resource "aws_kms_key" "kms_key_1" {
	is_enabled              = true
	+ enable_key_rotation    = true

From Command Line

Run the following command to enable key rotation:

aws kms enable-key-rotation --key-id KMS_KEY_ID


  1. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/enable-key-rotation.html

AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses FIPS 140-2 validated hardware security modules to protect the security of your keys. AWS Key Management Service is integrated with most other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Compliance Frameworks

  • AWS CIS Foundations v. 2.0.0
  • AWS CloudGuard Best Practices
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset