AWS Customer Master Key (CMK) Rotation Is Not Enabled

Checks to ensure that CMKs are rotated periodically. AWS KMS (Key Management Service) allows customers to create master keys to encrypt sensitive data in different services. As a security best practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform, CloudFormation

Build Rules

AWS Customer Master Key (CMK) rotation is not enabled.
JSON Queries:
CloudFormation
$.Resources.*[?(@.Type=='AWS::KMS::Key')].Properties.EnableKeyRotation any null or $.Resources.*[?(@.Type=='AWS::KMS::Key')].Properties.EnableKeyRotation anyFalse
Terraform
$.resource[*].aws_kms_key exists and ( $.resource[*].aws_kms_key[*].*[*].enable_key_rotation anyFalse or $.resource[*].aws_kms_key[*].*[*].enable_key_rotation anyNull)
Recommendations:
  • CloudFormation
    Recommended solution for enabling Customer Master Keys.
    It is recommended that Customer Master Keys rotation is enabled. Please make sure your template has "EnableKeyRotation" attribute and it is set to "true".
    For example:
    { "Resources":{ "myKey":{ "Type":"AWS::KMS::Key", "Properties":{ "KeyPolicy":{ "Version":"2012-10-17", "Id":"key-default-1" }, "EnableKeyRotation":true } } } }
  • Terraform
    Recommended solution for enabling AWS Customer Master Key (CMK).
    It is recommended to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys. Please make sure your template has "kms_key_id" atrribute under "aws_kms_key" is set to true.
    For example:
    { "aws_kms_key": [ { "<aws_kms_key_name>": [ { "deletion_window_in_days": 10, "enable_key_rotation": true, "description": "KMS key 1" } ] } ] }

Run Rule Recommendation

  1. Login to AWS Console.
  2. In the IAM Service > Encryption Keys, select the specific key.
  3. Under the 'Key Rotation', Enable 'Rotate this key every year' and click Save Changes.

Compliance

There are 13 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • CIS v1.2.0 (AWS)
  • NIST CSF
  • PCI DSS v3.2
  • GDPR
  • ISO 27001:2013
  • SOC 2
  • PIPEDA
  • CSA CCM v3.0.1
  • HITRUST CSF v9.3
  • CCPA 2018
  • NIST 800-171 Rev1
  • NIST 800-53 Rev4

Recommended For You