Profile Applicability:

Level 1

Description:

Google Cloud Key Management Service (KMS) stores cryptographic keys in a hierarchical structure, allowing efficient and secure access control. To ensure key security, it is recommended to configure key rotation within 90 days.

Rationale:

Regularly rotating encryption keys ensures:

  1. Reduced risk of data if a key is exposed.

  2. Continued adherence to compromise security best practices by limiting the lifespan of key material.

KMS allows users to define a rotation schedule to automatically generate new key versions. The previous versions remain available to decrypt data encrypted with them, but new encryption requests will use the latest version.

Impact:

Post-rotation, older key versions are required to decrypt previously encrypted data. Applications and services using these keys must accommodate the rotation schedule to avoid disruptions.

Default Value:

By default, Google Cloud KMS encryption keys are rotated every 90 days.

Remediation Steps:

Test Plan

Using Google Cloud Console:                        

  1. Go to Cryptographic Keys: GCP Cryptographic Keys Console.

  2. Select a key ring and check the Next Rotation field for each key to ensure it is set to occur within 90 days.

Using Google Cloud CLI:
List all keys in a key ring and verify their rotation settings:

gcloud kms keys list --keyring=<KEY_RING> --location=<LOCATION> --format=json

  1. Ensure the rotationPeriod and nextRotationTime values meet the following conditions:

    • rotationPeriod is ≤ 90 days (equivalent to 2160h, 129600m, or 7776000s).

    • nextRotationTime is within 90 days of the current date.

Implementation  Steps:

Using Google Cloud Console:

  1. Navigate to Cryptographic Keys: GCP Cryptographic Keys Console.

  2. Select the relevant key ring and locate the key to update.

                       

  1. Click the More (3 dots) icon next to the key and choose Edit Rotation Period.

                             

  1. Set the rotation period to 90 days or fewer and specify a start date for the rotation schedule.

                         

  1. Save the changes.

           

Using Google Cloud CLI:

Update the rotation schedule for a specific key:

gcloud kms keys update <KEY_NAME> \
  --keyring=<KEY_RING> \
  --location=<LOCATION> \
  --next-rotation-time=<NEXT_ROTATION_TIME> \
  --rotation-period=<ROTATION_PERIOD>

Example:

gcloud kms keys update my-key \
  --keyring=my-keyring \
  --location=global \
  --next-rotation-time="2025-01-15T00:00:00Z" \
  --rotation-period="90d"

Backout Plan:

1. Restore Previous Key Rotation Settings (If Necessary)

If an application fails due to unexpected key rotation, revert the previous setting:

gcloud kms keys update <KEY_NAME> \
  --keyring=<KEY_RING> \
  --location=<LOCATION> \
  --rotation-period="365d"

Temporarily setting rotation to 365 days may allow time for troubleshooting.

2. Restore IAM Policy from Backup

If needed, restore the previous IAM policy:

gcloud kms keys set-iam-policy <KEY_NAME> policy-backup.json

References:

  1. Key Rotation Frequency

  2. Re-encrypting Data.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.11 Encrypt Sensitive Data at Rest

Encrypt sensitive data stored on servers, applications, or databases using encryption mechanisms.

14.8 Encrypt Sensitive Information at Rest

Encrypt all sensitive information at rest with a secondary authentication mechanism not tied to the OS.