Profile Applicability
- Level 1
Description:
Customer Managed Keys (CMKs) are encryption keys created and managed by customers in AWS Key Management Service (KMS). For enhanced security, it is essential to enable automatic rotation for symmetric CMKs. Key rotation ensures that encryption keys are periodically updated, reducing the risk of key compromise and minimizing the impact of potential breaches.
Enabling key rotation for CMKs helps ensure compliance with best practices and security regulations, and it automatically manages key lifecycle events, reducing the administrative burden on security teams.
Rationale:
Symmetric CMKs are used to encrypt and decrypt data. If a CMK is compromised, it is essential to ensure that it is periodically rotated to limit the risk of misuse. Key rotation:
Reduces the risk of key compromise by automatically generating a new key and using it for encryption and decryption.
Ensures that encryption keys are updated regularly, minimizing the chances of an attacker accessing old keys.
Helps maintain compliance with regulatory requirements (e.g., PCI-DSS, HIPAA) that mandate the rotation of cryptographic keys.
Without enabling automatic key rotation, CMKs would need to be manually rotated, which is error-prone and increases the risk of mismanagement.
Impact:
Failure to enable automatic rotation for symmetric CMKs can result in:
Increased risk of key compromise.
Failure to comply with industry regulations that require key rotation.
Lack of automated key management, leading to human error in manual rotation processes.
Enabling automatic key rotation ensures that keys are rotated at a set interval, which strengthens the security of encrypted data and reduces the manual overhead of key management.
Default Value:
By default, key rotation for CMKs is disabled. You must explicitly enable key rotation for each symmetric CMK to ensure regular key rotation.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions:
kms:DescribeKey
kms:PutKeyPolicy
kms:EnableKeyRotation
CMKs must be symmetric, as asymmetric keys do not support automatic rotation
Remediation:
Test Plan:
Using AWS Console:
Go to the KMS Console.
Verify that Key rotation is enabled for each customer-managed symmetric CMK.
Go to the AWS Config Console and verify that the Configuration Recorder is enabled to track CMK configurations.
Using AWS CLI:
aws kms get-key-rotation-status --key-id <key-id> --query "KeyRotationEnabled" --output table
To verify if AWS Config is tracking CMK rotation configurations:
aws configservice describe-configuration-recorders --query "ConfigurationRecorders[?recordingGroup.allSupported==`true`].{Name:name, RecordingGroup:recordingGroup}" --output tableImplementation Plan:
Using AWS Console:
Enable automatic key rotation for symmetric CMKs:
Go to the KMS Console.
Select the symmetric CMK for which you want to enable rotation.
In the Key actions section, click Enable rotation for the selected key.
Enable AWS Config to monitor CMK rotation:
In the AWS Config Console, ensure the Configuration Recorder is active and tracking CMK configurations.
Using AWS CLI:
Enable key rotation for a symmetric CMK:
aws kms enable-key-rotation --key-id <key-id>
Enable AWS Config to monitor CMK rotation:
aws configservice record-configuration-changes --configuration-recorder-name <recorder-name> --include-configuration-item-types "AWS::KMS::Key"
Backout Plan:
Using AWS Console:
If automatic key rotation causes issues with existing encryption or compliance:
Go to the KMS Console.
Disable key rotation for the CMK by selecting Disable rotation under the Key actions menu.
Modify AWS Config settings to exclude CMKs from being monitored if there are performance or resource consumption issues.
Using AWS CLI:
Temporarily disable key rotation:
aws kms disable-key-rotation --key-id <key-id>
Stop recording CMK rotation configurations in AWS Config:
aws configservice stop-configuration-recorder --configuration-recorder-name <recorder-name>
Re-enable monitoring once issues are resolved:
aws kms enable-key-rotation --key-id <key-id> aws configservice start-configuration-recorder --configuration-recorder-name <recorder-name>