Rotate Google Cloud KMS Keys

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)

Ensure that all your Cloud Key Management Service (KMS) keys are rotated within a period of 90 days in order to meet security and compliance requirements. A KMS key is a named object representing a cryptographic key used for encrypting and decrypting application data. The KMS key material, the actual bits used for encryption, can change over time as new key versions are created. All KMS cryptographic keys are created with a specified rotation period, which represents the time interval between two consecutive key versions generated automatically by the KMS cloud service.

Security

User-managed KMS keys are powerful encryption credentials that can introduce severe security risks if are not managed correctly. Because the KMS key management within Google Cloud represents the user responsibility, enforcing an optimal key rotation period would significantly reduce the chance that a compromised key could be used without your knowledge to access encrypted data.

Note: After rotating a KMS key, its previous key version (which is no longer primary) is neither disabled or destroyed. This protects against data loss as this is required to decrypt the data encrypted by that previous key version.


Audit

To determine the rotation period configured for your KMS cryptographic keys, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Navigate to Cloud Key Management Service (KMS) dashboard at https://console.cloud.google.com/security/kms.

03 Click on the name of the GCP KMS key ring that you want to examine. A KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location.

04 Click on the name of the KMS key that you want to examine to access the key configuration details. A cryptographic key is a GCP resource that is used for encrypting and decrypting data or for producing and verifying digital signatures. Check the rotation period configured for the selected key (including key versions), available in the Rotation period box. If the key rotation period is not less than 90 days, the rotation period configured for the selected Google Cloud Platform (GCP) KMS key is not compliant.

05 Repeat step no. 4 for each cryptographic key created within the selected KMS key ring.

06 Repeat steps no. 3 – 5 for each KMS key ring available in your Google cloud account.

Using GCP CLI

01 Run kms keyrings list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the KMS key rings available in your GCP account:

gcloud kms keyrings list
	--location=global

02 The command output should return the requested resource IDs:

NAME
projects/cc-internal-app-123123/locations/global/keyRings/cc-internal-key-ring
projects/cc-project5-app-123123/locations/global/keyRings/cc-project5-key-ring

03 Run kms keys list command (Windows/macOS/Linux) using the ID of the KMS key ring that you want to examine as identifier parameter and custom query filters to list the resource ID of each KMS cryptographic key created for the selected key ring:

gcloud kms keys list
	--keyring=projects/cc-internal-app-123123/locations/global/keyRings/cc-internal-key-ring
	--location=global
	--format="table(name)"

04 The command output should return the requested KMS key IDs:

NAME
projects/cc-internal-app-123123/locations/global/keyRings/cc-internal-key-ring/cryptoKeys/cc-internal-key
projects/cc-internal-app-123123/locations/global/keyRings/cc-internal-key-ring/cryptoKeys/cc-data-cryptokey

05 Run kms keys describe command (Windows/macOS/Linux) using the ID of the GCP KMS key that you want to examine as identifier parameter and custom query filters to describe the rotation period configured for the selected key:

gcloud kms keys describe projects/cc-internal-app-123123/locations/global/keyRings/cc-internal-key-ring/cryptoKeys/cc-internal-key
	--keyring=projects/cc-internal-app-123123/locations/global/keyRings/cc-internal-key-ring
	--location=global
	--format=json'(rotationPeriod)'

06 The command output should return the KMS key rotation period:

{
  "rotationPeriod": "31536000s"
}

07 Convert the "rotationPeriod" attribute value returned by the kms keys describe command output at the previous step, representing the key rotation period in seconds, to days:

printf '%dd\n' $((31536000/86400))

08 The command output should return the key rotation period in number of days:

365d

09 Repeat steps no. 5 – 8 for each cryptographic key created for the selected KMS key ring.

10 Repeat steps no. 3 – 9 for each KMS key ring provisioned in your Google cloud account.

Remediation / Resolution

To configure the rotation period for your Cloud Key Management Service (KMS) cryptographic keys to an optimal value of less than 90 days, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Navigate to Cloud Key Management Service (KMS) dashboard at https://console.cloud.google.com/security/kms.

03 Click on the name of the GCP KMS key ring that you want to access.

04 Select the KMS key that you want to reconfigure, click on the key submenu icon (3 dots) available on the right side and choose Edit rotation period.

05 In the Edit rotation period for <key-name> configuration box, select an optimal rotation period of less than 90 days for the selected key. After this time period, a new KMS key version will be created and used to encrypt new data. Use the Starting on date picker (DTP) control to set up the starting day for the configured rotation period, ideally as soon as possible. Click SAVE to apply the configuration changes.

06 If required, repeat step no. 4 and 5 to reconfigure the rotation period for other cryptographic keys available in the selected KMS key ring.

07 Repeat steps no. 3 – 6 for each KMS key ring created within your Google cloud account.

Using GCP CLI

01 Run kms keys update command (Windows/macOS/Linux) using the resource ID of the cryptographic key that you want to reconfigure as identifier parameter (see Audit section part I to identify the right key), to configure a 30-day rotation period for the selected KMS key, starting at the specified time (the command does not produce an output):

gcloud kms keys update projects/cc-internal-app-123123/locations/global/keyRings/cc-internal-key-ring/cryptoKeys/cc-internal-key
	--keyring=projects/cc-internal-app-123123/locations/global/keyRings/cc-internal-key-ring
	--location=global
	--rotation-period=30d
	--next-rotation-time=2020-04-15T10:00:00.0000Z

02 Repeat step no. 1 to reconfigure the rotation period for other cryptographic keys available in the selected KMS key ring.

03 Repeat step no. 1 and 2 for each KMS key ring created within your Google cloud account.

References

Publication date Feb 4, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Rotate Google Cloud KMS Keys

Risk level: Low