Skip to content

Latest commit

 

History

History
26 lines (22 loc) · 2.19 KB

kms-key-rotation.md

File metadata and controls

26 lines (22 loc) · 2.19 KB

CloudSploit

AWS / KMS / KMS Key Rotation

Quick Info

Plugin Title KMS Key Rotation
Cloud AWS
Category KMS
Description Ensures KMS keys are set to rotate on a regular schedule
More Info All KMS keys should have key rotation enabled. AWS will handle the rotation of the encryption key itself, as well as storage of previous keys, so previous data does not need to be re-encrypted before the rotation occurs.
AWS Link http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
Recommended Action Enable yearly rotation for the KMS key

Detailed Remediation Steps

  1. Log in to the AWS Management Console.
  2. Select the "Services" option and search for KMS.
  3. Scroll down the left navigation panel and choose "Customer Managed Keys" under "Key Management Service".
  4. Select the key that needs to be verified by clicking on the alias of the key under "Alias".
  5. Scroll down the "Customer managed keys" page and click on the "Key rotation" and check the "Automatically rotate this KMS key every year" status. If it's not checked then the selected "KMS key" is not set to rotate on a regular schedule.
  6. Repeat step number 2 - 5 to verify other "KMS keys" in the selected AWS region.
  7. Navigate to "Customer Managed Keys" under "Key Management Service" and select the "KMS key" that needs to be modified to enable yearly rotation for the KMS key.
  8. Scroll down the "Customer managed keys" page and click on the "Key rotation" tab. Enable "Automatically rotate this KMS key every year" checkbox and click on the "Save" button to make the necessary changes.
  9. Repeat step number 7 - 8 to enable yearly rotation for all the remaining "KMS key".