Open menu
-->

Enable AWS KMS Key Rotation

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 10 November 2017
Security

Risk level: Medium (should be achieved)

Once enabled, the KMS Key Rotation will allow you to set an yearly rotation schedule for your CMK so when a customer master key is required to encrypt your new data, the KMS service can automatically use the latest version of the HSA backing key (AWS hardened security appliance key) to perform the encryption.

This rule resolution is part of the Cloud Conformity Security Package

Enabling this feature would significantly reduce the chance that a compromised customer master key (CMK) could be used without your knowledge to access certain AWS resources.

Audit

To determine if your customer master keys have Key Rotation enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu:

Select the appropriate AWS region from the Filter menu

05 Select the alias of the CMK that you need to check under Alias column.

06 And check the Rotate this key every year switch status under Key Rotation section:

Rotate this key every year switch status under Key Rotation section

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) to list all your customer master keys:

aws kms list-keys

02 The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region:

{
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-west-2:123456789012:
                       key/8e1a0a1b-fa71-4077-8fde-e4cab5f1458c",
            "KeyId": "8e1a0a1b-fa71-4077-8fde-e4cab5f1458c"
        }
    ]
}

03 Run get-key-rotation-status command (OSX/Linux/UNIX) using the CMK ID as parameter to determine if the selected key has Key Rotation feature enabled:

aws kms get-key-rotation-status
	--key-id 8e1a0a1b-fa71-4077-8fde-e4cab5f1458c

04 The command output should expose the Key Rotation status for the selected CMK (true for enabled, false for disabled):

{
    "KeyRotationEnabled": false
}

Remediation / Resolution

To enable AWS KMS Key Rotation, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu:

Select the appropriate AWS region from the Filter menu

05 Select the alias of the CMK that you need to check under Alias column.

06 Under Key Rotation section, enable Rotate this key every year checkbox:

enable Rotate this key every year checkbox

and click Save Changes.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) to list all your customer master keys:

aws kms list-keys

02 The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region:

{
    "Keys": [
        {
            "KeyArn": "arn:aws:kms:us-west-2:123456789012:
                       key/8e1a0a1b-fa71-4077-8fde-e4cab5f1458c",
            "KeyId": "8e1a0a1b-fa71-4077-8fde-e4cab5f1458c"
        }
    ]
}

03 Run enable-key-rotation command (OSX/Linux/UNIX) using the CMK ID as parameter to enable Key Rotation for the selected key:

aws kms enable-key-rotation
	--key-id 8e1a0a1b-fa71-4077-8fde-e4cab5f1458c

04 Run get-key-rotation-status command (OSX/Linux/UNIX) to make sure that the Key Rotation feature has been enabled:

aws kms get-key-rotation-status
	--key-id 8e1a0a1b-fa71-4077-8fde-e4cab5f1458c

05 The command output should return the Key Rotation status for the selected CMK (true for enabled, false for disabled):

{
    "KeyRotationEnabled": false
}

References

Publication date Apr 6, 2016