Rule: KMS CMK Rotation Should Be Enabled
This rule ensures that the Key Management Service Customer Managed Key rotation is enabled as part of System and Services Acquisition benchmark.
| Rule | KMS CMK rotation should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description
KMS (Key Management Service) Customer Master Key (CMK) rotation should be enabled to comply with the NIST (National Institute of Standards and Technology) 800-53 Revision 5 security control requirements.
CMK rotation helps protect the cryptographic keys used to encrypt and decrypt sensitive data by periodically replacing them with new keys. This ensures that if a key is compromised, the potential damage is limited, as a new key will be used for encryption going forward.
Troubleshooting
If KMS CMK rotation is not enabled and compliance with NIST 800-53 Revision 5 is required, follow the troubleshooting steps below:
- 1.
Identify Key Management Service: Determine if your organization is actively using AWS Key Management Service (KMS) to manage encryption keys.
- 2.
Check KMS CMK Rotation Status: Verify the current rotation status of the CMK in KMS. You can do this by using the AWS Management Console or the AWS Command Line Interface (CLI).
- 3.
Confirm NIST 800-53 Revision 5 Compliance: Ensure that your organization requires compliance with NIST 800-53 Revision 5. This may involve checking your organization's security policies or consulting with your security team.
- 4.
Enable KMS CMK Rotation: If KMS CMK rotation is not already enabled, follow the remediation steps below to enable the rotation.
Remediation
To enable KMS CMK rotation for compliance with NIST 800-53 Revision 5, follow the step-by-step guide below:
- 1.
Identify and Select the CMK: Determine the CMK (Customer Master Key) that needs to have rotation enabled. This can be done through the AWS Management Console or by using the AWS CLI.
- 2.
Enable CMK Rotation: Enable rotation for the selected CMK by using the AWS Management Console or the AWS CLI. If using the console:
a. Go to the AWS KMS management console.
b. Select "Customer managed keys" from the left-hand menu.
c. Find the target CMK and click on its alias.
d. In the "Key rotation" section, click on "Edit".
e. Select the checkbox to enable key rotation.
f. Click on "Save".
If using the AWS CLI, run the following command:
aws kms enable-key-rotation --key-id <CMK-key-id>Replace
with the actual key ID of the CMK.<CMK-key-id> - 3.
Verify Key Rotation: Confirm that key rotation has been enabled successfully for the CMK. This can be verified using the AWS Management Console or the AWS CLI.
If using the console, repeat steps 1 and 2 of the "Enable CMK Rotation" section to ensure that the rotation is enabled.
If using the AWS CLI, run the following command:
aws kms get-key-rotation-status --key-id <CMK-key-id>Replace
with the actual key ID of the CMK.<CMK-key-id>The response should indicate that key rotation is now enabled.
- 4.
Monitor and Test: Regularly monitor the key rotation status via the AWS KMS console or CLI. Ensure that existing systems and processes that utilize the CMK are updated to handle key rotation appropriately. Thoroughly test the rotation process to verify that it does not impact the functionality of your applications or services.
By following the above steps, you can enable KMS CMK rotation and fulfill the requirements for NIST 800-53 Revision 5 compliance.