Ensure that all your Amazon KMS Customer Managed Keys (CMKs) are automatically rotated every year. The Key Rotation feature enables automatic rotation of a customer-managed Customer Master Key. The CMK will be rotated one year (365 days) from the date that the feature request completes and every year thereafter. The feature is available only for symmetric encryption keys with key material that Amazon KMS provides. Asymmetric KMS keys are not eligible for automatic key rotation.
This rule can help you with the following compliance standards:
- CISAWSF
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
AWS cloud best practices discourage extensive reuse of encryption keys. To create new cryptographic key material for your Amazon KMS Customer Managed Keys (CMKs), you can enable automatic key rotation for your existing keys. Enabling this feature will significantly reduce the chance that a compromised CMK could be used without your knowledge to decrypt and access your cloud data.
This conformity rule is eligible for symmetric KMS Customer Managed Keys (CMKs) only.
Audit
To determine if the Key Rotation feature is enabled for your Amazon KMS Customer Managed Keys (CMKs), perform the following operations:
Remediation / Resolution
To enable automatic rotation for your Amazon KMS Customer Managed Keys (CMKs), perform the following operations:
References
- AWS Documentation
- AWS Key Management Service
- AWS KMS concepts
- Editing Keys
- Rotating AWS KMS keys
- AWS Command Line Interface (CLI) Documentation
- list-keys
- describe-key
- get-key-rotation-status
- enable-key-rotation
- CloudFormation Documentation
- AWS Key Management Service resource type reference
- Terraform Documentation
- AWS Provider