Description:

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS. It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled. 


Rationale:

Rotating encryption keys help reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. 


Impact:

Automatic key rotation has no effect on the data that the CMK protects. It does not rotate the data keys that the CMK generated or re-encrypt any data protected by the CMK, and it will not mitigate the effect of a compromised data key.


Default Value:

In Aws, key rotation is not enabled by default.


Audit:

  1. Sign in to AWS console
  2. Navigate to KMS service at https://console.aws.amazon.com/kms/
  3. Click on the Customer managed Keys in the left navigation pane
  4. Click on any key that you want to examine and select the key rotation tab and check whether the key rotation is enabled or not
    If you notice that the rotation is not enabled follow the Implementation steps


Remediation:

Pre-Requisite:

  1. Sign in as an admin or IAM user with the required permissions

  2. There must be at least one key


Implementation Steps:

  1. Sign in to the AWS Management Console
  2. Navigate to KMS service at https://console.aws.amazon.com/kms/ 
  3. Click on the Customer managed Keys in the left navigation pane

    Note: In Customer managed keys we can have different Keys make sure to select the correct key for enabling the automatic rotation.
  4. Select the key you want to remediate
  5. select the key rotation tab
  6. Now check the Key rotation checkbox for enabling Key rotation and Click on Save


Via CLI:

 aws kms enable-key-rotation --key-id 1234abcd-12ab-34cd-56ef-1234567890ab


Backout Plan:

  1. Sign in to the AWS Management Console
  2. Navigate to KMS service at https://console.aws.amazon.com/kms/ 
  3. Click on the Customer managed Keys in the left navigation pane
  4. Click on key you want to disable the rotation
  5. Now uncheck the Key rotation check box For disabling (Automatically rotate this CMK every year) and Click on Save


Via CLI:

aws kms disable-key-rotation --key-id 1234abcd-12ab-34cd-56ef-1234567890ab


Reference:

https://aws.amazon.com/kms/