gcp-kms-bad-key-rotation

Ensure KMS encryption keys are rotated within a period of 90 days

It is recommended to rotate cryptographic keys on a periodic basis to reduce window of exposure in case a key gets exfiltrated. There is no hard rule when it comes to rotation period, but for instance a maximum of 90 days is a reasonable period.

Examples

Insecure Example

resource "google_kms_key_ring" "keyring" {
  name     = "keyring-example"
  location = "global"
}

resource "google_kms_crypto_key" "example-key" {
  name            = "crypto-key-example"
  key_ring        = google_kms_key_ring.keyring.id
  rotation_period = "31536000s" # 1 year

  lifecycle {
    prevent_destroy = true
  }
}

Secure Example

resource "google_kms_key_ring" "keyring" {
  name     = "keyring-example"
  location = "global"
}

resource "google_kms_crypto_key" "example-key" {
  name            = "crypto-key-example"
  key_ring        = google_kms_key_ring.keyring.id
  rotation_period = "7776000s" # 90 days in seconds

  lifecycle {
    prevent_destroy = true
  }
}

More information

• GCP Docs
• Terraform Docs