aws-kms-key-rotation

Ensure rotation for customer created CMKs is enabled

Key rotation helps limit exposure in the case that a key is compromised. Enabling auto-rotation for will instruct AWS to transparently rotate keys without affecting users of the key.

Examples

Insecure Example

Terraform

resource "aws_kms_key" "a" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
}

CloudFormation

{
  "Type" : "AWS::KMS::Key",
  "Properties" : {
      "Description" : "KMS key 1",
      "PendingWindowInDays" : 10,
      "KeyPolicy": { ... }
    }
}

Secure Example

Terraform

resource "aws_kms_key" "a" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
  enable_key_rotation = true
}

CloudFormation

{
  "Type" : "AWS::KMS::Key",
  "Properties" : {
      "Description" : "KMS key 1",
      "PendingWindowInDays" : 10,
      "KeyPolicy": { ... },
      "EnableKeyRotation" : true
    }
}

More information

• AWS Docs
• Terraform Docs
• Cloudformation Docs