Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Rotate KMS Customer-Managed Keys (CMKs)

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-KMS-001

Ensure that your OCI KMS Customer-Managed Keys (also known as Master Encryption Keys) are rotated within a period of 365 days in order to follow best practices and meet security and compliance requirements. A Customer-Managed Key (CMK) is an encryption key that you control, used to protect your data in Oracle Cloud Infrastructure (OCI). The key rotation represents the time interval between two consecutive key versions generated by the Key Management Service (KMS) or imported by the customer.

Security

OCI KMS Customer-Managed Keys (CMKs) are powerful encryption credentials that can introduce severe security risks if they are not managed correctly. Because the KMS key management within Oracle Cloud Infrastructure (OCI) represents the user's responsibility, enforcing an optimal key rotation period would significantly reduce the chance that a compromised key could be used without your knowledge to access encrypted data.

Audit

To check the last rotation of your OCI KMS Customer-Managed Keys (CMKs), perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms.

  3. In the left navigation panel, choose Vault, and select an OCI compartment from the Compartment dropdown menu, to list the OCI Vaults available within that compartment.

  4. Click on the name (link) of the active OCI Vault that you want to examine, listed in the Name column. An active Vault has State set to Active.

  5. In the Resources navigation panel, select Master Encryption Keys to list the Customer-Managed Keys (CMKs) available in the selected OCI Vault.

  6. Click on the name (link) of the active Customer-Managed Key that you want to examine. An active CMK has State set to Enabled.

  7. Select the Key Information tab, and check the Created attribute value, listed in the left column to determine when the key was created. If more than 365 days have passed since the key was created, the selected OCI KMS Customer-Managed Key (CMK) is not rotated (regenerated) on a regular basis.

  8. Repeat steps no. 6 and 7 for each active Customer-Managed Key (CMK) available in the selected OCI Vault.

  9. Repeat steps no. 4 - 8 for each OCI Vault provisioned in the selected Oracle Cloud Infrastructure (OCI) compartment.

  10. Repeat steps no. 3 – 9 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run kms management vault list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each active OCI Vault provisioned in the selected OCI compartment:

    oci kms management vault list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query "data[?\"lifecycle-state\"=='ACTIVE'].id"

  4. The command output should return the requested Vault IDs:

    [
	"ocid1.vault.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
	"ocid1.vault.oc1.ap-sydney-1.fnt4qjrmaadt6.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run kms management vault get command (Windows/macOS/Linux) to describe the service endpoint configured for the OCI Vault created in the previous steps:

    oci kms management vault get
	--vault-id 'ocid1.vault.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--query 'data."management-endpoint"'

  6. The command output should return the URL of the service (management) endpoint configured for the selected Vault:

    "https://abcdabcd1234a-management.kms.ap-sydney-1.oraclecloud.com"

  7. Run oci kms management key list command (Windows/macOS/Linux) with the service endpoint of the OCI Vault that you want to examine as the identifier parameter, to list the ID and state of each KMS Customer-Managed Key (CMK) created in the selected Vault:

    oci kms management key list
	--endpoint 'https://abcdabcd1234a-management.kms.ap-sydney-1.oraclecloud.com'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].["id","lifecycle-state"]'

  8. The command output should return the ID and status for each key available in the selected Vault. An active Customer-Managed Key has the lifecycle status set to "ENABLED":

    [
	[
		"ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"ENABLED"
	],
	[
		"ocid1.key.oc1.ap-sydney-1.1234abcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"PENDING_DELETION"
	]
]

  9. Run oci kms management key get command (Windows/macOS/Linux) with the ID of the active Customer-Managed Key (CMK) that you want to examine as the identifier parameter and custom output filters the describe the selected KMS key:

    oci kms management key get
	--key-id 'ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--endpoint 'https://abcdabcd1234a-management.kms.ap-sydney-1.oraclecloud.com'
	--query 'data'

  10. The command output should return the resource information available for the selected key:

    {
	"time-created": "2024-02-01T11:30:12.995000+00:00",
	"lifecycle-state": "ENABLED",
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"defined-tags": {},
	"display-name": "cc-project5-oci-key",
	"external-key-reference-details": null,
	"freeform-tags": {},
	"id": "ocid1.key.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"is-auto-rotation-enabled": false,
	"is-primary": true,
	"key-shape": {
		"algorithm": "AES",
		"curve-id": null,
		"length": 32
	},
	"protection-mode": "SOFTWARE",
	"replica-details": null,
	"restored-from-key-id": null,
	"time-of-deletion": null,
	"vault-id": "ocid1.vault.oc1.ap-sydney-1.abcdabcd1234a.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
}

    Check the "time-created" attribute value returned by the kms management key get command to determine when the selected KMS key was created. If more than 365 days have passed since the key was created, the selected OCI KMS Customer-Managed Key (CMK) is not rotated (regenerated) on a regular basis.

  11. Repeat steps no. 9 and 10 for each active Customer-Managed Key (CMK) created in the selected OCI Vault.

  12. Repeat steps no. 5 - 11 for each OCI Vault provisioned in the selected Oracle Cloud Infrastructure (OCI) compartment.

  13. Repeat steps no. 3 – 12 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To ensure that your OCI KMS Customer-Managed Keys (CMKs) are regularly rotated (every 365 days or less), perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Key Management & Secret Management console available at https://cloud.oracle.com/security/kms.

  3. In the left navigation panel, choose Vault, and select an OCI compartment from the Compartment dropdown menu, to list the OCI Vaults available within that compartment.

  4. Click on the name (link) of the active OCI Vault that you want to access, listed in the Name column. An active Vault has State set to Active.

  5. In the Resources navigation panel, select Master Encryption Keys to list the Customer-Managed Keys (CMKs) available in the selected OCI Vault.

  6. Select the active Customer-Managed Key that you want to regenerate, choose the Actions menu (i.e., 3-dot icon), and select Rotate Key.

  7. In the Confirm dialog box, choose Rotate Key to regenerate the selected Customer-Managed Key (CMK). If you need to import the key materials and key versions and allow the Key Management Service (KMS) to use a copy of it, check the Import External key version setting checkbox, upload your key data, and choose Rotate Key. Choose Close to return to the OCI console.

  8. Repeat steps no. 6 and 7 for each active Customer-Managed Key (CMK) available in the selected OCI Vault.

  9. Repeat steps no. 4 - 8 for each OCI Vault provisioned in the selected Oracle Cloud Infrastructure (OCI) compartment.

  10. Repeat steps no. 3 – 9 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run kms management key-version create command (Windows/macOS/Linux) to rotate the active Customer-Managed Key (CMK) specified by the --key-id parameter by creating a new key version:

    oci kms management key-version create
	--key-id 'ocid1.key.oc1.ap-sydney-1.1234abcd1234b.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--endpoint 'https://1234abcd1234b-management.kms.ap-sydney-1.oraclecloud.com'
	--query 'data'

  2. The command output should return the resource information available for the regenerated KMS key:

    {
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"external-key-reference-details": null,
	"id": "ocid1.keyversion.oc1.ap-sydney-1.1234abcd1234b.feqpm7ey3gaaa.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
	"is-auto-rotated": false,
	"is-primary": true,
	"key-id": "ocid1.key.oc1.ap-sydney-1.1234abcd1234b.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"lifecycle-state": "CREATING",
	"origin": "INTERNAL",
	"public-key": null,
	"replica-details": {
		"replication-id": null
	},
	"restored-from-key-version-id": null,
	"time-created": "2025-03-06T11:57:12.710000+00:00",
	"time-of-deletion": null,
	"vault-id": "ocid1.vault.oc1.ap-sydney-1.1234abcd1234b.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
}

  3. Repeat steps no. 1 and 2 for each active Customer-Managed Key (CMK) created in the selected OCI Vault.

  4. Repeat steps no. 1 - 3 for each OCI Vault provisioned in the selected Oracle Cloud Infrastructure (OCI) compartment.

  5. Repeat steps no. 1 – 4 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Publication date Mar 11, 2025

Related OCI-KMS rules