Once enabled, the KMS Key Rotation will allow you to set an yearly rotation schedule for your CMK so when a customer master key is required to encrypt your new data, the KMS service can automatically use the latest version of the HSA backing key (AWS hardened security appliance key) to perform the encryption.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Enabling this feature would significantly reduce the chance that a compromised customer master key (CMK) could be used without your knowledge to access certain AWS resources.
To determine if your customer master keys have Key Rotation enabled, perform the following:
Remediation / Resolution
To enable AWS KMS Key Rotation, you need to perform the following:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Key Rotation Enabled
Risk level: Medium