Profile Applicability: Level 2


Description:

AWS Key Management Service (KMS) allows customers to rotate the backing key, which is key material stored within the KMS, tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.


Rationale:

Rotating encryption keys help reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.


Impact:

KMS impacts on the data that is stored in S3, EBS, and Amazon redshift and not enabling KMS made need to face compliance and regulatory.


Default Value:

In Aws, key rotation is not enabled by default.


Audit:

  1. Sign in to AWS console

  2. Navigate to KMS service at https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console

  3. From the left pane select Customer managed keys

  4. Click on any key that you want to examine and select the key rotation tab and check whether the key rotation is enabled or not

  5. If you notice that the rotation is not enabled follow the Implementation steps

Remediation:

Pre-Requisite

  • There must be at least one Customer Created customer master key (CMK) keys

 Implementation Steps

  1. Sign in to the AWS Management Console

  2. Navigate to KMS service at https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console

  3. In the left navigation pane, choose to Select a Customer Managed Keys(CMK)
    NoteIn Customer managed keys we can have different Keys make sure to select the correct key for enabling the Automatically rotate this CMK every year.

  4. Click on any key you want to remediate

  5. Now check  the Key rotation check box For enabling (Automatically rotate this CMK every year) and Click  on Save


Backout Plan:

  1. Sign in to the AWS Management Console

  2. Navigate to KMS service at  https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console

  3. In the left navigation pane, Select a Customer Managed Keys(CMK)

  4. Click on any key you want to disable the rotation

  5. Now uncheck  the Key rotation check box For disabling  (Automatically rotate this CMK every year) and Click  on Save 


Using CLI

  • Enable VPC FLOW LOGS

  • Login into your CLI using Credentials
aws kms list-keys

aws kms enable-key-rotation

aws kms get-key-rotation-status {"KeyRotationEnabled": true}


Note: Easily create and control the keys used to encrypt or digitally sign your data. AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.


Reference:


CIS Controls:


6 Maintenance, Monitoring and Analysis of Audit Logs 

  • Maintenance, Monitoring and Analysis of Audit Logs