Profile Applicability:

Level 2

Description:

AWS Key Management Service (KMS) allows customers to automate key rotation for customer-managed keys (CMKs). Key rotation creates new key material while retaining old keys for seamless decryption of previously encrypted data.By enabling key rotation, AWS automatically rotates the encryption key every year, reducing the risk of key compromise.

Rationale:

  • Key rotation enhances security by limiting the exposure of compromised keys. Protects encrypted data by ensuring only the most recent key is used for encryption.

  • Supports compliance requirements such as NIST, PCI DSS, SOC 2, ISO 27001, HIPAA, and CIS benchmarks.

  • Without key rotation, if a key is compromised, all past and future encrypted data is vulnerable.

Impact:

  • Ensures secure and continuous encryption without manual intervention.

  • Reduces risk of data compromise from old keys.

  • Does not break existing data decryption (previous keys remain available).

Default Value

By default, KMS key rotation is NOT enabled for customer-managed CMKs.
KMS rotates AWS-managed keys automatically, but not customer-created CMKs.

Pre-Requisites

IAM permissions required:

  • kms:ListKeys

  • kms:DescribeKey

  • kms:GetKeyRotationStatus

  • kms:EnableKeyRotation

AWS CLI installed for automation.

Remediation:

Test Plan:

Using AWS Console

Step 1: Check If Key Rotation Is Enabled for Customer-Managed CMKs

  1. Log in to the AWS Management Console

  2. Navigate to KMS Console → AWS KMS

   

  1. Click Customer-managed keys in the left navigation pane

       

  1. Select a CMK with Key spec = SYMMETRIC_DEFAULT

     

  1. Click the Key rotation tab

     

  1. Ensure "Automatically rotate this KMS key every year" is  checked

       

  1. Repeat for all customer-managed CMKs

  •  If rotation is enabled, no further action is needed.
  • If rotation is disabled, follow remediation steps.

Using AWS CLI

Step 1: List All CMKs

aws kms list-keys --query 'Keys[*].KeyId'

Step 2: Check Key Rotation Status

aws kms get-key-rotation-status --key-id <kms-key-id>

Implementation steps:

Using AWS Console

Step 1: Enable Key Rotation for CMKs

  1. Log in to the AWS Management Console

  2. Navigate to KMS Console → AWS KMS 

 

  1. Click Customer-managed keys

     

  1. Select a CMK with Key spec = SYMMETRIC_DEFAULT

 

  1. Click the Key rotation tab

   

  1. Check the box "Automatically rotate this KMS key every year"

     

  1. Click Save

     

  •  Repeat for all CMKs

Using AWS CLI

Step 1: Enable Key Rotation for a Specific CMK

aws kms enable-key-rotation --key-id <kms-key-id>

Repeat for all customer-managed CMKs.

Step 2: Verify Key Rotation Status

aws kms get-key-rotation-status --key-id <kms-key-id>


Backout Plan:

  • If enabling KMS key rotation causes issues: Disable Key Rotation via AWS CLI
 aws kms disable-key-rotation --key-id <kms-key-id>
  • Verify Key Rotation is Disabled
 aws kms get-key-rotation-status --key-id <kms-key-id>
  • If the output is false, rotation is disabled.
  • Ensure disabling key rotation is justified before proceeding.


References:

CIS Controls Mapping:


CIS Control Version

Control ID

Control Description

CIS v8

3.11

Encrypt sensitive data at rest using encryption mechanisms like KMS key rotation.

CIS v8

14.8

Ensure encryption policies are enforced for critical data storage.

CIS v7

16.1

Implement data encryption standards that meet industry best practices.

CIS v7

6.3

Enable detailed security logging to track encryption key activities.