Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Customer Master Key Rotation Rule

This rule focuses on enabling Customer Master Key rotation as a security measure.

RuleCustomer master key (CMK) rotation should be enabled
FrameworkPCI v3.2.1
Severity
Medium

Customer Master Key (CMK) Rotation for PCI v3

Description:

To ensure compliance with PCI v3 (Payment Card Industry Data Security Standard version 3), it is recommended to enable rotation for Customer Master Keys (CMKs). CMKs are used for encrypting and decrypting sensitive data in AWS services such as Amazon S3 and Amazon RDS. Enabling CMK rotation helps to enhance the security of your data by regularly rotating the encryption keys.

Troubleshooting Steps:

If you encounter any issues related to CMK rotation, you can follow these troubleshooting steps:

  1. 1.
    Verify that your IAM (Identity and Access Management) policies have sufficient permissions to enable CMK rotation.
  2. 2.
    Ensure that the AWS Key Management Service (KMS) is configured correctly and accessible to your AWS resources.
  3. 3.
    Check if the CMK has been assigned the necessary IAM policies to allow rotation.

Necessary Codes:

There are no specific codes required for enabling CMK rotation. However, you need to make changes to the Key Management Service configuration using the AWS Management Console or AWS CLI.

Step-by-Step Guide for Remediation:

  1. 1.
    Step 1: Log in to the AWS Management Console.
  2. 2.
    Step 2: Open the AWS Key Management Service (KMS) console.
  3. 3.
    Step 3: Select the region where your CMK is located.
  4. 4.
    Step 4: Find the CMK that requires rotation and click on its alias or key ID.
  5. 5.
    Step 5: Scroll down to the "Key rotation" section.
  6. 6.
    Step 6: Click on the "Enable" button to enable CMK rotation.
  7. 7.
    Step 7: Review the options available for CMK rotation and select the desired rotation interval.
  8. 8.
    Step 8: Click on the "Save" button to save the changes.

Once rotation is enabled, AWS KMS will automatically rotate the CMK according to the chosen interval.

Note: The actual rotation process may take some time to complete, depending on the number of resources that use the CMK. During rotation, AWS KMS will automatically update the encryption keys without requiring any manual intervention.

By following these steps, you can ensure that the CMK rotation is enabled for PCI v3 compliance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now