Ensure Rotation for Customer Created CMKs is Enabled Rule
This rule requires enabling rotation for customer created CMKs to maintain security standards.
| Rule | Ensure rotation for customer created CMKs is enabled |
| Framework | cis_v140 |
| Severity | ✔ High |
Rule Description: Rotation for Customer Created CMKs Enabled
Rule Summary:
The policy requires that rotation is enabled for Customer Master Keys (CMKs) created by customers. CMK rotation ensures the security of encryption keys used for data protection in AWS Key Management Service (KMS). By enabling rotation, you ensure that the cryptographic material used in the CMKs is periodically refreshed, reducing the risk of key compromise.
Troubleshooting Steps:
If rotation for customer created CMKs is not enabled, follow these troubleshooting steps:
- 1.
Identify CMKs: Identify the CMKs for which rotation is not enabled.
- 2.
Review Key Policies: Review the key policies associated with those CMKs to verify if rotation is disabled in any of them.
- 3.
Modify Key Policy: Modify the key policy of each CMK that has rotation disabled and enable rotation.
- 4.
Recheck Rotation Status: Verify that rotation is now enabled for the CMKs.
Necessary Code:
If you prefer to automate the process using the AWS Command Line Interface (CLI), below is the necessary code to enable rotation for a CMK:
aws kms enable-key-rotation --key-id [CMK_ID]
Replace
[CMK_ID]Step-by-Step Guide to Enable Rotation for CMKs:
- 1.
Identify Customer Created CMKs
- Log in to the AWS Management Console.
- Open the AWS Key Management Service (KMS) console.
- 2.
Access CMKs
- In the left navigation pane, click on "Customer managed keys". This will display all the customer created CMKs in your account.
- 3.
Check Rotation Status
- Click on each CMK in the list to view its details.
- Under the "Key Usage" section, check the "Key rotation status". If it is "Disabled", rotation needs to be enabled.
- 4.
Manage Key Policies
- Click on "Key policy" in the left navigation pane.
- Review the key policies associated with the CMK.
- Identify any policies that disable rotation.
- 5.
Edit Key Policy
- Click on the key policy that disables rotation for the CMK.
- Modify the policy to enable rotation.
- Save the updated policy.
- 6.
Validate Rotation Status
- Go back to the details page of the CMK.
- Verify that the "Key rotation status" is now "Enabled".
- 7.
Repeat for other CMKs
- Repeat steps 3 to 6 for any other customer created CMKs that do not have rotation enabled.
Conclusion:
Enabling rotation for customer created CMKs ensures the continuous security and protection of encryption keys used in AWS Key Management Service. By following the step-by-step guide and troubleshooting steps, you can easily enable rotation for CMKs and maintain the highest level of key security for your applications and data.