Profile Applicability: Level 2


Description:

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.


Rationale:

Cryptographic best practices discourage extensive reuse of encryption keys. To create new cryptographic material for your KMS keys, you can create new KMS keys, and then change your applications or aliases to use the new KMS keys. Or, you can enable automatic key rotation for an existing KMS key.


Impact:

Rotating encryption keys help reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.


Default Value:

In AWS, key rotation is not enabled by default.


Pre-Requisite

  • There must be at least one Customer Created customer master key (CMK) keys


Remediation:


Test Plan:

  1. Sign in to AWS console

  2. Navigate to KMS service at https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console

  3. From the left pane select Customer managed keys

  4. Click on any key that you want to examine and select the key rotation tab and check whether the key rotation is enabled or not

  5. If you notice that the rotation is not enabled follow the Implementation steps


Using AWS CLI:

To List all your customer master keys:

aws kms list-keys

Run command using the CMK ID as a parameter to determine if the selected key has Key Rotation feature enabled

aws kms get-key-rotation-status
--key-id 8e1a0a1b-fa71-4077......


 Implementation Steps

  1. Sign in to the AWS Management Console

  2. Navigate to KMS service at https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console

  3. In the left navigation pane, choose to Select a Customer Managed Keys(CMK)NoteIn Customer managed keys we can have different Keys make sure to select the correct key for enabling the Automatically rotate this CMK every year.

  4. Click on the key you want to remediate

  5. Now check  the Key rotation check box For enabling (Automatically rotate this CMK every year) and Click  on Save


Using AWS CLI:

Run command using the CMK ID as a parameter to enable Key Rotation for the selected key

aws kms enable-key-rotation --key-id <kms_key_id>


Backout Plan:

  1. Sign in to the AWS Management Console

  2. Navigate to KMS service at  https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console

  3. In the left navigation pane, Select a Customer Managed Keys(CMK)

  4. Click on any key you want to disable the rotation

  5. Now uncheck  the Key rotation check box For disabling  (Automatically rotate this CMK every year) and Click  on Save 


Note: Easily create and control the keys used to encrypt or digitally sign your data. AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.


Reference:

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html


CIS Controls:


6 Maintenance, Monitoring, and Analysis of Audit Logs 

  • Maintenance, Monitoring, and Analysis of Audit Logs