Profile Applicability: Level 2


Description:

AWS Key Management Service (KMS) allows customers to rotate backup keys. The backup key is the key information stored in the KMS that is bound to the customer-generated customer master key (CMK) key ID. This is the backup key used to perform operations such as encryption and decryption. Automatic key rotation can now retain all previous backup keys and make the decryption of encrypted data transparent. Data encrypted with the new key is not accessible with the old key that may have been compromised, so rotating the encryption key can reduce the potential impact of the compromised key. 


Rationale:

Rotating encryption keys help reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed  


Impact:

KMS impacts the data that is stored in S3, EBS, and Amazon Redshift, and not enabling KMS made the need to meet compliance and regulatory requirements more difficult.


Default Value:

In AWS, key rotation is not enabled by default.


Pre-Requisite:

  • There must be at least one Customer Created customer master key (CMK) keys


Remediation:


Test Plan:

  1. Sign in to the AWS console.
  2. Navigate to the KMS service at https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console.
  3. From the left pane select Customer managed keys. 

  4. Click on any key that you want to examine and select the key rotation tab and check whether the key rotation is enabled or not.

If you notice that the rotation is not enabled, follow the implementation steps.


Using AWS CLI:

List all your customer master keys:  

aws kms list-keys

Run command using the CMK ID as a parameter to determine if the selected key has Key Rotation feature enabled

aws kms get-key-rotation-status
--key-id 8e1a0a1b-fa71-4077......

Default Value:

In Aws, key rotation is not enabled by default.

Remediation:

Pre-Requisite:

  1. There must be at least one CMK keys.

 Implementation Steps

  1. Sign in to the AWS Management Console.
  2. Navigate to KMS service at https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console.
  3. In the left navigation pane, choose to Select a Customer Managed Keys(CMK).Note: In Customer managed keys we can have different Keys make sure to select the correct key for enabling the Automatically rotate of this CMK every year. 

  4. Click on the key you want to remediate.

  5. Now check the Key rotation check box for enabling (Automatically rotate this CMK every year) and Click  on Save.


Using AWS CLI:

Run the command using the CMK ID as a parameter to enable key rotation for the selected key.

aws kms enable-key-rotation
--key-id 8e1a0a1b-fa71-4077......

Run the command to make sure that the key rotation feature has been enabled.

aws kms get-key-rotation-status
--key-id 8e1a0a1b-fa71-4077......

Backout Plan:

  1. Sign in to the AWS Management Console

  2. Navigate to the KMS service at  https://console.aws.amazon.com/kms/ or search for KMS inside the AWS console

  3. In the left navigation pane, Select Customer Managed Keys(CMK).


4. Click on any key you want to disable the rotation.


5. Now uncheck the Key Rotation check box for disabling (Automatically rotate this CMK every year) and Click on Save.

Note:

Easily create and control the keys used to encrypt or digitally sign your data. AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications

Reference:

  1. Installing, updating, and uninstalling the AWS CLI - AWS Command Line Interface

  2. AWS KMS concepts - AWS Key Management Service 


 CIS Controls:

6 Maintenance, Monitoring, and Analysis of Audit Logs 

  • Maintenance, Monitoring, and Analysis of Audit Logs