Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure Rotation for Customer Created Symmetric CMKs is Enabled Rule

This rule ensures that rotation for customer created symmetric CMKs is enabled.

RuleEnsure rotation for customer created symmetric CMKs is enabled
Frameworkcis_v150
Severity
Medium

Rule Description:

The rule "Ensure rotation for customer created symmetric CMKs is enabled" ensures that rotation is enabled for customer-created symmetric Customer Master Keys (CMKs) in AWS Key Management Service (KMS). This is done to enhance the security of encryption keys by regularly rotating them.

By enabling key rotation, AWS KMS will automatically generate a new CMK that is identical to the original key, and the original key will be set to a "Disabled" state, preventing any further usage. This helps protect against unauthorized access and usage of encryption keys.

Troubleshooting Steps (if applicable):

If the rotation for customer-created symmetric CMKs is not enabled, the following troubleshooting steps can be followed:

  2. 1.
    Check if the CMKs in question are customer-created symmetric CMKs.
  4. 2.
    Confirm if rotation is currently enabled for these CMKs:
    • Navigate to the AWS KMS console.
    • Go to the "Customer managed keys" section.
    • Find the relevant CMKs and check their rotation status.
  6. 3.
    If rotation is not enabled, verify the IAM policies attached to the KMS keys and ensure they allow the necessary permissions for key rotation.
  8. 4.
    If the IAM policies are correct, check if the client applications using the CMKs support the automatic update of keys after rotation.
  10. 5.
    If key rotation is still not enabled, proceed with the remediation steps below.

Remediation:

To enable rotation for customer-created symmetric CMKs, follow the step-by-step guide below:

  2. 1.
    Open the AWS Command Line Interface (CLI) or the AWS Management Console.
  4. 2.
    Navigate to AWS KMS.
  6. 3.
    Go to the "Customer managed keys" section.
  8. 4.
    Identify the specific CMK that needs rotation enabled.
  10. 5.
    If a key policy exists, ensure that you have the necessary permissions to modify it.
  12. 6.
    Retrieve the key policy document using the AWS CLI command: 
    aws kms get-key-policy --key-id <CMK_ID> --policy-name default > policy.json
    Replace 
    <CMK_ID>
    with the key identifier of the CMK.
  14. 7.
    Open the downloaded 
    policy.json
    file.
  16. 8.
    Add or modify the key policy to include the "EnableKeyRotation" statement. Below is an example of what the relevant section may look like: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnableKeyRotation",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "kms:EnableKeyRotation",
            "Resource": "*"
        }
    ]
}
    Note: Replace 
    123456789012
    with your AWS account ID.
  18. 9.
    Save the 
    policy.json
    file.
  20. 10.
    Use the AWS CLI command to update the key policy: 
    aws kms put-key-policy --key-id <CMK_ID> --policy-name default --policy file://policy.json
    Replace 
    <CMK_ID>
    with the key identifier of the CMK.
  22. 11.
    Verify that rotation is enabled by checking the rotation status of the CMK:
    • Go to the AWS KMS console.
    • Navigate to the "Customer managed keys" section.
    • Find the relevant CMK and check its rotation status.

By following these steps, rotation for customer-created symmetric CMKs should now be enabled, ensuring improved security for encryption keys in AWS KMS.

Is your System Free of Underlying Vulnerabilities?
Find Out Now