Ensure that all your Cloud Key Management Service (KMS) keys are rotated within a period of 90 days in order to meet security and compliance requirements. A KMS key is a named object representing a cryptographic key used for encrypting and decrypting application data. The KMS key material, the actual bits used for encryption, can change over time as new key versions are created. All KMS cryptographic keys are created with a specified rotation period, which represents the time interval between two consecutive key versions generated automatically by the KMS cloud service.
User-managed KMS keys are powerful encryption credentials that can introduce severe security risks if are not managed correctly. Because the KMS key management within Google Cloud represents the user responsibility, enforcing an optimal key rotation period would significantly reduce the chance that a compromised key could be used without your knowledge to access encrypted data.
Note: After rotating a KMS key, its previous key version (which is no longer primary) is neither disabled or destroyed. This protects against data loss as this is required to decrypt the data encrypted by that previous key version.
To determine the rotation period configured for your KMS cryptographic keys, perform the following actions:
Remediation / Resolution
To configure the rotation period for your Cloud Key Management Service (KMS) cryptographic keys to an optimal value of less than 90 days, perform the following actions:
- Google Cloud Platform (GCP) Documentation
- Cloud Key Management
- Rotating keys
- Key rotation
- Re-encrypting data
- CIS Security Documentation
- Securing Google Cloud Computing Platform
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Rotate Google Cloud KMS Keys
Risk level: Low