AWS-KMS-CMK-expiry-set-with-external-key-material

Severity: Medium

Description: This control ensures that expiry is set for CMK with external key material. AWS KMS will automatically delete the key material after the expiration period. Imported key material can be deleted manually. In both cases, the key material is deleted but the CMK reference and the metadata remain so that you can import key material afterward. This ensures that the keys cannot be used beyond their assigned lifetimes.

Remediation Steps:

Perform following to set expiry for CMK :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to KMS console.

3. Choose Customer managed keys option.

4. Choose the alias or Key ID of a CMK.

5. Under Key material, click on the Delete key material button.

6. Select Confirm that you want to delete this key material and click Delete Key material option from the pop-up.

7. Under Key material, click on the Download wrapping key and import token button.

8. Choose encryption algorithm to use and select Download and close.

9. Now follow the steps to Encrypt Key Material with Openssl : https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html

10. Under Key material, click on the Upload key material button.

11. For Wrapped key material, click on the Choose file option.

12. Upload the file that contains wrapped (encrypted) key material. 

13. Upload the Import token by clicking the Choose file option for the Import token option.

14. Under Expiration option, enter expiration date and time for the Key material expires at option 

15. Click on Upload key material.

Important:

Reference:

• https://docs.aws.amazon.com/cli/latest/reference/kms/delete-imported-key-material.html

• https://docs.aws.amazon.com/cli/latest/reference/kms/import-key-material.html