Rule: KMS CMK Rotation Should Be Enabled
This rule ensures that Key Management Service (KMS) Customer Master Key (CMK) rotation is enabled for enhanced data protection.
| Rule | KMS CMK rotation should be enabled |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ Critical |
KMS CMK Rotation for General Data Protection Regulation (GDPR)
Rule Description
To comply with the General Data Protection Regulation (GDPR) requirements, Key Management Service (KMS) Customer Master Keys (CMKs) rotation should be enabled. KMS CMK rotation is essential for maintaining the confidentiality, integrity, and availability of sensitive data stored in Amazon Web Services (AWS) services.
KMS CMK rotation ensures that cryptographic keys used to protect data are periodically replaced with new keys. This helps minimize the risk of key compromise and strengthens the overall security posture of an organization. By enabling KMS CMK rotation, organizations can meet GDPR's data protection obligations and maintain a secure environment for sensitive data.
Troubleshooting Steps (if applicable)
If KMS CMK rotation is not already enabled or configured, follow the steps below to troubleshoot and resolve the issue:
- 1.
Verify IAM Permissions: Ensure that the AWS Identity and Access Management (IAM) user or role used to manage KMS CMK rotation has the necessary permissions. Verify that the IAM user or role has the
action allowed.kms:EnableKeyRotation - 2.
Check Key Rotation Status: Use the AWS Management Console, AWS CLI, or SDKs to check the rotation status of the CMK. If rotation is not enabled, proceed to enable it.
- 3.
Enable Key Rotation: To enable key rotation for a KMS CMK, use the AWS CLI or SDKs with appropriate credentials. Execute the following command:
aws kms enable-key-rotation --key-id <CMK ID>
Make sure to replace
<CMK ID>- 1.Verify Key Rotation: After enabling rotation, verify that the CMK rotation status has been updated. This can be done using the AWS Management Console, AWS CLI, or SDKs.
Necessary Codes
There are no specific codes required for this rule. However, make sure you have the AWS CLI configured with the necessary IAM user or role that has permissions to manage KMS CMK rotation.
Remediation Steps
To enable KMS CMK rotation for GDPR compliance, perform the following steps:
- 1.Identify the Key ID: Determine the Customer Master Key (CMK) ID for which you want to enable rotation. This can be obtained from the AWS Management Console or by using the AWS CLI command:
aws kms list-keys
- 1.Enable Key Rotation: Once you have the CMK ID, enable key rotation using the AWS CLI command:
aws kms enable-key-rotation --key-id <CMK ID>
Ensure to replace
<CMK ID>- 1.Verify Key Rotation: After enabling rotation, confirm the updated rotation status of the CMK. You can verify this either through the AWS Management Console or by using the AWS CLI command:
aws kms describe-key --key-id <CMK ID>
This command will display detailed information about the CMK, including the rotation status.
- 1.Repeat for Additional CMKs (if applicable): If you have multiple CMKs that require rotation, repeat steps 1-3 for each CMK.
By following these steps, you will successfully enable KMS CMK rotation for GDPR compliance in your AWS environment.