AWS-KMS-KMS-Key-Rotation

Severity: Medium

Description: This controls ensures  for custom created keys rotation is enabled for AWS managed CMKs.  It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that the decryption of encrypted data can take place transparently. It is recommended that key rotation should be enabled for CMK with AWS managed key material be enabled.

Remediation Steps:

Perform following to enable automatic key rotation :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to KMS console.

3. In the left pane, choose Customer managed keys.

4. For Region, choose the appropriate AWS Region using the region selector in the navigation bar (top right corner).

5. Choose the alias of the CMK whose details you want to see.

6. Use the controls in the Key Rotation section of the page. This key rotation option is not available for CMKs with external key material.

7. Check the Automatically rotate this CMK every year checkbox.

Important:

If a CMK is disabled or pending deletion, the Key Rotation check box is cleared, and you cannot change it. This reminds you that AWS KMS does not rotate CMKs while they are disabled or pending deletion. The key rotation status is restored when you re-enable the CMK or cancel deletion.

Reference:

• CIS reference: CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #3.8

• https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html