Rule: KMS CMK Rotation Should Be Enabled
This rule ensures that Key Management Service Customer Master Key rotation is enabled for enhanced security measures.
| Rule | KMS CMK rotation should be enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
Rule: KMS CMK Rotation for CISA-Cyber-Essentials
Description of the Rule
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the cryptographic keys used to secure your data. Customer Master Keys (CMKs) are the primary resources in KMS, which can either be AWS-managed or customer-managed.
For compliance with the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials, it's crucial that customer-managed CMKs have automatic key rotation enabled. Key rotation refers to the process of creating a new cryptographic material for your CMK and making it the new backing key for that CMK. This enhances security by reducing the risk of a key compromise and by ensuring that data is protected with new keys periodically.
When to Enable:
- Keys that are used frequently for encryption/decryption operations.
- When data security policies or compliance standards necessitate regular key rotation.
When Not Necessary:
- For keys used exclusively for digital signature verification which don't become less secure over time.
- If rotation could lead to a complex key management process without substantial security benefits.
Troubleshooting Steps
Checking Rotation Status
To determine whether a customer-managed CMK has automatic key rotation enabled, you can use the AWS Management Console or the AWS CLI.
- 1.AWS Management Console:
- Go to the AWS KMS Console.
- Select the CMK from the list.
- Look for the "Key Rotation" section in the key details to see if it's enabled.
- 2.AWS CLI:
- Run the following command to describe the key and check its rotation status:
aws kms get-key-rotation-status --key-id <your-key-id>
Enabling Key Rotation
If the CMK's key rotation is not enabled, follow these steps to enable it.
- 1.AWS Management Console:
- Navigate to the key's detail page.
- In the "Key Rotation" section, select "Automatically rotate this CMK every year."
- 2.AWS CLI:
- Execute the following command to enable rotation for the specified CMK:
aws kms enable-key-rotation --key-id <your-key-id>
Verification
Verify that key rotation has been enabled:
aws kms get-key-rotation-status --key-id <your-key-id>
Remediation
Via the AWS Management Console
- Access the AWS KMS Console.
- Choose the desired CMK.
- In the "Key Rotation" section, click the "Enable" option.
Via the AWS CLI
- Enable key rotation by running the following command:
aws kms enable-key-rotation --key-id <your-key-id>
Via Infrastructure as Code (AWS CloudFormation)
If you manage your AWS resources through CloudFormation, ensure that the
property of theEnableKeyRotation
resource is set toAWS::KMS::Key
.trueExample CloudFormation Snippet:
MyKey: Type: 'AWS::KMS::Key' Properties: EnableKeyRotation: true KeyPolicy: ...
Step-by-Step Guide for Remediation
- 1.
Identify CMKs
- List all customer-managed CMKs in your account.
- 2.
Check Rotation
- Examine each CMK to see whether rotation is enabled.
- 3.
Enable Rotation
- For CMKs without rotation, enable automatic key rotation.
- 4.
Verify Changes
- Ensure that rotation is now enabled for all CMKs that require it based on your policies.
- 5.
Document Changes
- Update your key management policies and documents to reflect the change.
- 6.
Monitor Compliance
- Regularly audit your CMKs and policies to maintain continuous compliance.
Please note that the above information does not constitute specific SEO advice, but the structuring of this text is designed to be clear and informative, which can contribute positively to SEO. The practical and concise nature of the content aligned with relevant keywords (such as 'AWS KMS', 'CMK rotation', 'CISA Cyber Essentials', and 'key management') can help improve search ranking in this context.