Once enabled, the KMS Key Rotation will allow you to set an yearly rotation schedule for your CMK so when a customer master key is required to encrypt your new data, the KMS service can automatically use the latest version of the HSA backing key (AWS hardened security appliance key) to perform the encryption.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Enabling this feature would significantly reduce the chance that a compromised customer master key (CMK) could be used without your knowledge to access certain AWS resources.
To determine if your customer master keys have Key Rotation enabled, perform the following:
To enable AWS KMS Key Rotation, you need to perform the following: