Profile Applicability: Level 2
Description:
AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.
Rationale:
Cryptographic best practices discourage extensive reuse of encryption keys. To create new cryptographic material for your KMS keys, you can create new KMS keys, and then change your applications or aliases to use the new KMS keys. Or, you can enable automatic key rotation for an existing KMS key.
Impact:
Rotating encryption keys help reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.
Default Value:
In AWS, key rotation is not enabled by default.
Pre-Requisite
- There must be at least one Customer Created customer master key (CMK) keys
Remediation:
Test Plan:
Sign in to AWS console
Navigate to KMS service at https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console
From the left pane select Customer managed keys
Click on any key that you want to examine and select the key rotation tab and check whether the key rotation is enabled or not
If you notice that the rotation is not enabled follow the Implementation steps
Using AWS CLI:
To List all your customer master keys:
aws kms list-keys
Run command using the CMK ID as a parameter to determine if the selected key has Key Rotation feature enabled
aws kms get-key-rotation-status --key-id 8e1a0a1b-fa71-4077......
Implementation Steps
Sign in to the AWS Management Console
Navigate to KMS service at https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console
In the left navigation pane, choose to Select a Customer Managed Keys(CMK)
Note: In Customer managed keys we can have different Keys make sure to select the correct key for enabling the Automatically rotate this CMK every year.
Click on the key you want to remediate
Now check the Key rotation check box For enabling (Automatically rotate this CMK every year) and Click on Save
Using AWS CLI:
Run command using the CMK ID as a parameter to enable Key Rotation for the selected key
aws kms enable-key-rotation --key-id <kms_key_id>
Backout Plan:
Sign in to the AWS Management Console
Navigate to KMS service at https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console
In the left navigation pane, Select a Customer Managed Keys(CMK)
Click on any key you want to disable the rotation
Now uncheck the Key rotation check box For disabling (Automatically rotate this CMK every year) and Click on Save
Note: Easily create and control the keys used to encrypt or digitally sign your data. AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
CIS Controls:
6 Maintenance, Monitoring, and Analysis of Audit Logs
- Maintenance, Monitoring, and Analysis of Audit Logs