gcp-kms-bad-key-rotation¶
Ensure KMS encryption keys are rotated within a period of 90 days
It is recommended to rotate cryptographic keys on a periodic basis to reduce window of exposure in case a key gets exfiltrated. There is no hard rule when it comes to rotation period, but for instance a maximum of 90 days is a reasonable period.
Examples¶
Insecure Example
resource "google_kms_key_ring" "keyring" {
name = "keyring-example"
location = "global"
}
resource "google_kms_crypto_key" "example-key" {
name = "crypto-key-example"
key_ring = google_kms_key_ring.keyring.id
rotation_period = "31536000s" # 1 year
lifecycle {
prevent_destroy = true
}
}
Secure Example
resource "google_kms_key_ring" "keyring" {
name = "keyring-example"
location = "global"
}
resource "google_kms_crypto_key" "example-key" {
name = "crypto-key-example"
key_ring = google_kms_key_ring.keyring.id
rotation_period = "7776000s" # 90 days in seconds
lifecycle {
prevent_destroy = true
}
}