aws-kms-key-rotation¶
Ensure rotation for customer created CMKs is enabled
Key rotation helps limit exposure in the case that a key is compromised. Enabling auto-rotation for will instruct AWS to transparently rotate keys without affecting users of the key.
Examples¶
Insecure Example
resource "aws_kms_key" "a" {
description = "KMS key 1"
deletion_window_in_days = 10
}
{
"Type" : "AWS::KMS::Key",
"Properties" : {
"Description" : "KMS key 1",
"PendingWindowInDays" : 10,
"KeyPolicy": { ... }
}
}
Secure Example
resource "aws_kms_key" "a" {
description = "KMS key 1"
deletion_window_in_days = 10
enable_key_rotation = true
}
{
"Type" : "AWS::KMS::Key",
"Properties" : {
"Description" : "KMS key 1",
"PendingWindowInDays" : 10,
"KeyPolicy": { ... },
"EnableKeyRotation" : true
}
}