This rule ensures the rotation is enabled for customer created CMKs.
Rule | Ensure rotation for customer created CMKs is enabled |
Framework | cis_v130 |
Severity | ✔ Medium |
Ensure Rotation for Customer Created CMKs is Enabled (CIS v1.3.0)
AWS Key Management Service (KMS) enables customers to create and manage cryptographic keys. It's crucial to automatically rotate the customer master keys (CMKs) to enhance security. CIS AWS Foundations Benchmark v1.3.0 recommends that CMKs have automatic rotation enabled.
Why Enable CMK Rotation?
Rotating keys limits the period during which a single key is used and thus reduces the chances of compromise. Key rotation is a well-established security best practice that can help you mitigate the potential damage in case of a key leak or breach.
Checking CMK Rotation Status
Before enabling rotation, you need to check if it's already enabled for your CMKs. Below are the CLI commands and steps to verify CMK rotation status.
Prerequisites
Steps to Check Rotation Status
To list all CMKs:
aws kms list-keys
For each CMK, check if rotation is enabled:
aws kms get-key-rotation-status --key-id <your-cmk-id>
If the returned JSON includes
"KeyRotationEnabled": true
, rotation is enabled for that key.Enabling Key Rotation
If rotation is not enabled, you can turn it on by using the following command:
aws kms enable-key-rotation --key-id <your-cmk-id>
Remediation
To enable key rotation for all CMKs that do not have it enabled, use the following script:
#!/bin/bash # Get list of all CMKs CMKS=$(aws kms list-keys --query 'Keys[].KeyId') # Loop through the list of keys for KEY_ID in $CMKS; do # Strip quotes from key id KEY_ID=$(echo $KEY_ID | tr -d '"') # Check key rotation status ROTATION_STATUS=$(aws kms get-key-rotation-status --key-id $KEY_ID --query 'KeyRotationEnabled') # Enable rotation if not already enabled if [ "$ROTATION_STATUS" != 'true' ]; then aws kms enable-key-rotation --key-id $KEY_ID fi done
Run this script from a shell where AWS CLI is installed and configured with the necessary permissions.
Validation
Post-remediation, validate that key rotation is enabled for all CMKs using the earlier commands.
Summary
By following these steps, you can ensure that rotation for customer created CMKs is enabled, meeting the CIS AWS Foundations Benchmark v1.3.0 requirements. This process strengthens your cloud security posture and helps meet compliance standards.