Profile Applicability:
Level 1

Description:
This control ensures that automatic key rotation is enabled for all customer-managed AWS Key Management Service (KMS) Customer Master Keys (CMKs). Key rotation automatically generates new cryptographic material for an existing CMK every 365 days while retaining previous key versions to decrypt older data. This practice strengthens data protection by reducing the potential impact of a compromised key.

Rationale:
Enabling automatic key rotation ensures that encryption keys are periodically updated without manual intervention, limiting exposure from long-term key usage. This aligns with cryptographic best practices and regulatory requirements from frameworks such as CIS, SOC 2, ISO 27001, HIPAA, and PCI DSS. Rotating keys regularly enhances security resilience by ensuring older encryption materials become obsolete over time.

Impact:
Positive Impact:

  • Improves data protection by reducing key exposure duration.

  • Maintains compliance with encryption and key management requirements.

  • Provides continuous protection without manual rotation effort.
    Negative Impact:

  • Rotation applies only to customer-managed CMKs (not AWS-managed keys).

  • Minimal additional KMS management overhead for tracking key rotation status.

Default Value:
By default, automatic key rotation is disabled for customer-managed CMKs. AWS-managed CMKs are automatically rotated every 365 days, but user-created CMKs must be configured manually.

Pre-Requisite:

  • IAM permissions required: kms:ListKeys, kms:DescribeKey, and kms:EnableKeyRotation.

  • CMK must be a customer-managed key (not AWS-managed or imported key material).

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Key Management Service (KMS) → Customer managed keys.

  3. Select each key to review.

  4. Under the Key rotation section, verify that:

    • The Automatic key rotation every year option is Enabled.

  5. If this setting is Disabled, the CMK is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Key Management Service → Customer managed keys.

  3. Select the CMK for which you want to enable rotation.

  4. In the Key rotation section, click Edit.

  5. Enable Automatically rotate this KMS key every year.

  6. Click Save changes.

  7. Repeat this process for all customer-managed CMKs across all active AWS regions.

Backout Plan:

  1. To disable automatic key rotation (not recommended unless required by policy):

    • Navigate to AWS KMS → Customer managed keys → [Key ID].

    • Under Key rotation, deselect the Automatically rotate this KMS key every year option.

    • Save the change.

  2. Ensure that disabling rotation is documented with a valid business justification and approved exception.

References: