Skip to content

AWS CMK rotation is not enabled

Description

AWS Key Management Service (KMS) allows customers to rotate the backing key. This is where key material is stored within the KMS, and tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys, allowing decryption of encrypted data to take place transparently.

We recommend you enable CMK key rotation to help reduce the potential impact of a compromised key. Data encrypted with a new key cannot be accessed with a previous key, that may have been exposed.

Fix - Runtime

AWS Console

Procedure:

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
  2. Open the Amazon KMS console.
  3. In the left navigation pane, select customer managed keys.
  4. Select the customer master key (CMK) in scope.
  5. Navigate to the Key Rotation tab.
  6. Select Rotate this key every year.
  7. Click Save.

CLI Command

Change the policy to enable key rotation using CLI command:

aws kms enable-key-rotation --key-id <kms_key_id>

Fix - Buildtime

Terraform

  • Resource: aws_kms_key
  • Argument: enable_key_rotation - (Optional) Specifies whether key rotation is enabled. Defaults to false.

```go aws_kms_key resource "aws_kms_key" "kms_key_1" { ... is_enabled = true + enable_key_rotation = true }


## CloudFormation

- **Resource**: `AWS::KMS::Key`
- **Attribute**: `EnableKeyRotation` - (Optional) Specifies whether key rotation is enabled. Defaults to false.

```yaml
Type: AWS::KMS::Key
Properties: 
  ...
+ EnableKeyRotation: true0