Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure Rotation for Customer Created CMKs is Enabled Rule

This rule ensures the rotation is enabled for customer created CMKs.

RuleEnsure rotation for customer created CMKs is enabled
Frameworkcis_v130
Severity
Medium

Ensure Rotation for Customer Created CMKs is Enabled (CIS v1.3.0)

AWS Key Management Service (KMS) enables customers to create and manage cryptographic keys. It's crucial to automatically rotate the customer master keys (CMKs) to enhance security. CIS AWS Foundations Benchmark v1.3.0 recommends that CMKs have automatic rotation enabled.

Why Enable CMK Rotation?

Rotating keys limits the period during which a single key is used and thus reduces the chances of compromise. Key rotation is a well-established security best practice that can help you mitigate the potential damage in case of a key leak or breach.

Checking CMK Rotation Status

Before enabling rotation, you need to check if it's already enabled for your CMKs. Below are the CLI commands and steps to verify CMK rotation status.

Prerequisites

  • AWS CLI installed and configured
  • Necessary permissions to execute KMS commands

Steps to Check Rotation Status

To list all CMKs:

aws kms list-keys

For each CMK, check if rotation is enabled:

aws kms get-key-rotation-status --key-id <your-cmk-id>

If the returned JSON includes

"KeyRotationEnabled": true
, rotation is enabled for that key.

Enabling Key Rotation

If rotation is not enabled, you can turn it on by using the following command:

aws kms enable-key-rotation --key-id <your-cmk-id>

Remediation

To enable key rotation for all CMKs that do not have it enabled, use the following script:

#!/bin/bash
# Get list of all CMKs
CMKS=$(aws kms list-keys --query 'Keys[].KeyId')

# Loop through the list of keys
for KEY_ID in $CMKS; do
    # Strip quotes from key id
    KEY_ID=$(echo $KEY_ID | tr -d '"')
    
    # Check key rotation status
    ROTATION_STATUS=$(aws kms get-key-rotation-status --key-id $KEY_ID --query 'KeyRotationEnabled')

    # Enable rotation if not already enabled
    if [ "$ROTATION_STATUS" != 'true' ]; then
        aws kms enable-key-rotation --key-id $KEY_ID
    fi
done

Run this script from a shell where AWS CLI is installed and configured with the necessary permissions.

Validation

Post-remediation, validate that key rotation is enabled for all CMKs using the earlier commands.

Summary

By following these steps, you can ensure that rotation for customer created CMKs is enabled, meeting the CIS AWS Foundations Benchmark v1.3.0 requirements. This process strengthens your cloud security posture and helps meet compliance standards.

Is your System Free of Underlying Vulnerabilities?
Find Out Now