Profile Applicability: Level 2


Description:

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.


Rationale:

Cryptographic best practices discourage extensive reuse of encryption keys. To create new cryptographic material for your KMS keys, you can create new KMS keys, and then change your applications or aliases to use the new KMS keys. Or, you can enable automatic key rotation for an existing KMS key.


Impact:

Rotating encryption keys help reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.


Default Value:

In Aws, key rotation is not enabled by default.


Audit:

  1. Sign in to AWS console

  2. Navigate to KMS service at https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console

  3. From the left pane select Customer managed keys

  4. Click on any key that you want to examine and select the key rotation tab and check whether the key rotation is enabled or not

  5. If you notice that the rotation is not enabled follow the Implementation steps


Via CLI:

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html



Remediation:

Pre-Requisite

  • There must be at least one Customer Created customer master key (CMK) keys

 Implementation Steps

  1. Sign in to the AWS Management Console

  2. Navigate to KMS service at https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console

  3. In the left navigation pane, choose to Select a Customer Managed Keys(CMK)
    NoteIn Customer managed keys we can have different Keys make sure to select the correct key for enabling the Automatically rotate this CMK every year.

  4. Click on the key you want to remediate

  5. Now check  the Key rotation check box For enabling (Automatically rotate this CMK every year) and Click  on Save


Via CLI:

aws kms enable-key-rotation --key-id <kms_key_id>


Backout Plan:

  1. Sign in to the AWS Management Console

  2. Navigate to KMS service at  https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console

  3. In the left navigation pane, Select a Customer Managed Keys(CMK)

  4. Click on any key you want to disable the rotation

  5. Now uncheck  the Key rotation check box For disabling  (Automatically rotate this CMK every year) and Click  on Save 


Note: Easily create and control the keys used to encrypt or digitally sign your data. AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.


Reference:

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html


CIS Controls:


6 Maintenance, Monitoring and Analysis of Audit Logs 

  • Maintenance, Monitoring and Analysis of Audit Logs