Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: KMS CMK Rotation Should be Enabled

This rule ensures that Key Management Service Customer Master Keys are rotated for enhanced security.

RuleKMS CMK rotation should be enabled
FrameworkNIST 800-53 Revision 5
Severity
Critical

Rule Description

KMS CMK (Key Management Service Customer Master Key) rotation should be enabled to adhere to the NIST 800-53 Revision 5 security guidelines. KMS CMK rotation ensures that encryption keys used by the Key Management Service are periodically rotated, reducing the risk of unauthorized access to sensitive data.

Troubleshooting Steps

If KMS CMK rotation is not enabled or functioning properly, you may encounter the following issues:

  2. 1.
    Non-compliance with NIST 800-53 Revision 5 security guidelines.
  4. 2.
    Increased vulnerability to unauthorized access or data breaches.
  6. 3.
    Failure to meet regulatory requirements related to data protection.

Necessary Code

No specific code is required for this rule, as it involves enabling a configuration setting within the Key Management Service console.

Remediation Steps

Follow these step-by-step guidelines to enable KMS CMK rotation:

  2. 1.
    Log in to the AWS Management Console.
  4. 2.
    Navigate to the KMS (Key Management Service) dashboard.
  6. 3.
    Click on "Customer managed keys" in the left sidebar.
  8. 4.
    Select the CMK (Customer Master Key) for which rotation needs to be enabled.
  10. 5.
    Click on the "Key Actions" dropdown menu and select "Enable Key Rotation."
  12. 6.
    A confirmation prompt will appear. Click the "Enable Key Rotation" button to confirm the action.
  14. 7.
    Wait for the rotation process to complete. This process may take some time, depending on the number of resources associated with the CMK.
  16. 8.
    Once the rotation is enabled, the CMK will automatically rotate its encryption key periodically according to AWS best practices.

CLI Command

Although enabling KMS CMK rotation can be done through the AWS Management Console, you can also use the AWS Command Line Interface (CLI) for automation or advanced configuration purposes. Use the following command:

aws kms enable-key-rotation --key-id <CMK-Key-ID>

Make sure to replace 

<CMK-Key-ID>
with the actual ID of the CMK for which rotation needs to be enabled.

Summary

Enabling KMS CMK rotation for NIST 800-53 Revision 5 compliance ensures that encryption keys are periodically rotated, enhancing the security of your data stored in AWS. By following the provided remediation steps, you can easily enable CMK rotation through the AWS Management Console or using the AWS CLI for automation.

Is your System Free of Underlying Vulnerabilities?
Find Out Now