Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Key Rotation Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KMS-002

Ensure that all your Amazon KMS Customer Managed Keys (CMKs) are automatically rotated every year. The Key Rotation feature enables automatic rotation of a customer-managed Customer Master Key. The CMK will be rotated one year (365 days) from the date that the feature request completes and every year thereafter. The feature is available only for symmetric encryption keys with key material that Amazon KMS provides. Asymmetric KMS keys are not eligible for automatic key rotation.

This rule can help you with the following compliance standards:

  • CISAWSF
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

AWS cloud best practices discourage extensive reuse of encryption keys. To create new cryptographic key material for your Amazon KMS Customer Managed Keys (CMKs), you can enable automatic key rotation for your existing keys. Enabling this feature will significantly reduce the chance that a compromised CMK could be used without your knowledge to decrypt and access your cloud data.

This conformity rule is eligible for symmetric KMS Customer Managed Keys (CMKs) only.


Audit

To determine if the Key Rotation feature is enabled for your Amazon KMS Customer Managed Keys (CMKs), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console available at https://console.aws.amazon.com/kms/.

03 In the main navigation panel, under Key Management Service (KMS), choose Customer managed keys.

04 Click inside the Filter keys by properties or tags box, select Key type, choose = (equals) from Operators, and select Symmetric to show only the symmetric KMS keys available within the current AWS region.

05 Click on the name (alias) of the symmetric Customer Managed Key (CMK) that you want to examine.

06 Select the Key rotation tab and verify the Automatically rotate this KMS key every year configuration checkbox. If the configuration checkbox is not selected, your Amazon KMS Customer Managed Key (CMK) is not automatically rotated every year.

07 Repeat steps no. 5 and 6 for each symmetric Customer Managed Key (CMK) created within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-keys command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon KMS key available in the selected AWS region:

aws kms list-keys
  --region us-east-1
  --output table
  --query 'Keys[*].KeyId'

02 The command output should return a table with the requested KMS key ID(s):

------------------------------------------
|                ListKeys                |
+----------------------------------------+
|  aaaabbbb-aaaa-bbbb-cccc-123456789012  |
|  bbbbcccc-bbbb-cccc-dddd-123456789012  |
|  aaaadddd-cccc-dddd-aaaa-123456789012  |
|  ddddaaaa-bbbb-cccc-dddd-123456789012  |
+----------------------------------------+

03 Run describe-key command (OSX/Linux/UNIX) using the ID of the Amazon KMS key that you want to examine as the identifier parameter and custom query filters to describe the key manager (AWS or customer) and the key type (symmetric or asymmetric) configured for the selected key:

aws kms describe-key 
  --region us-east-1 
  --key-id aaaabbbb-aaaa-bbbb-cccc-123456789012 
  --query 'KeyMetadata.{"KeyManager": KeyManager, "KeySpec": KeySpec}'

04 The command output should return the requested configuration information. If the command output returns "CUSTOMER" for "KeyManager" and "SYMMETRIC_DEFAULT" for "KeySpec", as shown in the example below, the selected KMS key is a symmetric Customer Managed Key (CMK), therefore you can continue the Audit process with the next step:

{
	"KeyManager": "CUSTOMER",
	"KeySpec": "SYMMETRIC_DEFAULT"
}

05 Run get-key-rotation-status command (OSX/Linux/UNIX) using the ID of the symmetric Customer Managed Key that you want to examine as the identifier parameter, to determine whether automatic rotation of the key material is enabled for the selected KMS key:

aws kms get-key-rotation-status
  --region us-east-1
  --key-id aaaabbbb-aaaa-bbbb-cccc-123456789012
  --query 'KeyRotationEnabled'

06 The command output should return the Key Rotation feature status (true for enabled, false for disabled)

false

If the get-key-rotation-status command output returns false, as shown in the example above, the selected Amazon KMS Customer Managed Key (CMK) is not automatically rotated every year.

07 Repeat steps no. 3 and 4 for each symmetric Customer Managed Key (CMK) available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable automatic rotation for your Amazon KMS Customer Managed Keys (CMKs), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Automatic Key Rotation for Symmetric Customer Managed Keys",
	"Resources": {
		"AWSCMK": {
			"Type": "AWS::KMS::Key",
			"Properties": {
				"Enabled": true,
				"KeySpec": "SYMMETRIC_DEFAULT",
				"KeyUsage": "ENCRYPT_DECRYPT",
				"Description": "Symmetric KMS Customer Managed Key",
				"PendingWindowInDays": 30,
				"EnableKeyRotation": true,
				"KeyPolicy": {
					"Version": "2012-10-17",
					"Id": "key-consolepolicy-7",
					"Statement": [
						{
							"Sid": "Enable IAM User Permissions",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:root"
							},
							"Action": "kms:*",
							"Resource": "*"
						},
						{
							"Sid": "Allow access for Key Administrators",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:user/key-admin"
							},
							"Action": [
								"kms:Create*",
								"kms:Describe*",
								"kms:Enable*",
								"kms:List*",
								"kms:Put*",
								"kms:Update*",
								"kms:Revoke*",
								"kms:Disable*",
								"kms:Get*",
								"kms:Delete*",
								"kms:TagResource",
								"kms:UntagResource",
								"kms:ScheduleKeyDeletion",
								"kms:CancelKeyDeletion"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow use of the key",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/resource-manager"
								]
							},
							"Action": [
								"kms:Encrypt",
								"kms:Decrypt",
								"kms:ReEncrypt*",
								"kms:GenerateDataKey*",
								"kms:DescribeKey"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow attachment of persistent resources",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/resource-manager"
								]
							},
							"Action": [
								"kms:CreateGrant",
								"kms:ListGrants",
								"kms:RevokeGrant"
							],
							"Resource": "*"
						}
					]
				}
			}
		},
		"AWSCMKAlias": {
			"Type": "AWS::KMS::Alias",
			"Properties": {
				"AliasName": "alias/ProdCMK",
				"TargetKeyId": {
					"Ref": "AWSCMK"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Automatic Key Rotation for Symmetric Customer Managed Keys
	Resources:
		AWSCMK:
		Type: AWS::KMS::Key
		Properties:
			Enabled: true
			KeySpec: SYMMETRIC_DEFAULT
			KeyUsage: ENCRYPT_DECRYPT
			Description: Symmetric KMS Customer Managed Key
			PendingWindowInDays: 30
			EnableKeyRotation: true
			KeyPolicy:
			Version: '2012-10-17'
			Id: key-consolepolicy-7
			Statement:
				- Sid: Enable IAM User Permissions
				Effect: Allow
				Principal:
					AWS: arn:aws:iam::123456789012:root
				Action: kms:*
				Resource: '*'
				- Sid: Allow access for Key Administrators
				Effect: Allow
				Principal:
					AWS: arn:aws:iam::123456789012:user/key-admin
				Action:
					- kms:Create*
					- kms:Describe*
					- kms:Enable*
					- kms:List*
					- kms:Put*
					- kms:Update*
					- kms:Revoke*
					- kms:Disable*
					- kms:Get*
					- kms:Delete*
					- kms:TagResource
					- kms:UntagResource
					- kms:ScheduleKeyDeletion
					- kms:CancelKeyDeletion
				Resource: '*'
				- Sid: Allow use of the key
				Effect: Allow
				Principal:
					AWS:
					- arn:aws:iam::123456789012:user/resource-manager
				Action:
					- kms:Encrypt
					- kms:Decrypt
					- kms:ReEncrypt*
					- kms:GenerateDataKey*
					- kms:DescribeKey
				Resource: '*'
				- Sid: Allow attachment of persistent resources
				Effect: Allow
				Principal:
					AWS:
					- arn:aws:iam::123456789012:user/resource-manager
				Action:
					- kms:CreateGrant
					- kms:ListGrants
					- kms:RevokeGrant
				Resource: '*'
		AWSCMKAlias:
		Type: AWS::KMS::Alias
		Properties:
			AliasName: alias/ProdCMK
			TargetKeyId: !Ref 'AWSCMK'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

# Enable Automatic Key Rotation
resource "aws_kms_key" "kms-cmk-key" {
	is_enabled               = true
	customer_master_key_spec = "SYMMETRIC_DEFAULT"
	key_usage                = "ENCRYPT_DECRYPT"
	description              = "Symmetric KMS Customer Managed Key"
	enable_key_rotation      = true

	policy = <<EOF
	{
		"Id": "key-consolepolicy-7",
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "Enable IAM User Permissions",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:root"
				},
				"Action": "kms:*",
				"Resource": "*"
			},
			{
				"Sid": "Allow access for Key Administrators",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/key-admin"
				},
				"Action": [
					"kms:Create*",
					"kms:Describe*",
					"kms:Enable*",
					"kms:List*",
					"kms:Put*",
					"kms:Update*",
					"kms:Revoke*",
					"kms:Disable*",
					"kms:Get*",
					"kms:Delete*",
					"kms:TagResource",
					"kms:UntagResource",
					"kms:ScheduleKeyDeletion",
					"kms:CancelKeyDeletion"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow use of the key",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/resource-manager"
					]
				},
				"Action": [
					"kms:Encrypt",
					"kms:Decrypt",
					"kms:ReEncrypt*",
					"kms:GenerateDataKey*",
					"kms:DescribeKey"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow attachment of persistent resources",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/resource-manager"
					]
				},
				"Action": [
					"kms:CreateGrant",
					"kms:ListGrants",
					"kms:RevokeGrant"
				],
				"Resource": "*"
			}
		]
	}
	EOF
}

resource "aws_kms_alias" "cmk-key-alias" {
	target_key_id = aws_kms_key.kms-cmk-key.key_id
	name          = "alias/ProdCMK"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console available at https://console.aws.amazon.com/kms/.

03 In the main navigation panel, under Key Management Service (KMS), choose Customer managed keys.

04 Click inside the Filter keys by properties or tags box, select Key type, choose = (equals) from Operators, and select Symmetric to show only the symmetric KMS keys available within the current AWS region.

05 Click on the name (alias) of the symmetric Customer Managed Key (CMK) that you want to configure.

06 Choose the Key rotation tab, select the Automatically rotate this KMS key every year setting checkbox, then choose Save to apply the configuration changes.

07 Repeat steps no. 5 and 6 for each symmetric Customer Managed Key (CMK) that you want to configure, created within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run enable-key-rotation command (OSX/Linux/UNIX) using the ID of the symmetric KMS Customer Managed Key (CMK) that you want to configure as the identifier parameter, to enable automatic rotation of the key material for the KMS key. If the command request is successful, the enable-key-rotation command does not produce an output:

aws kms enable-key-rotation
  --region us-east-1
  --key-id aaaabbbb-aaaa-bbbb-cccc-123456789012

02 Repeat step no. 1 for each symmetric Customer Managed Key (CMK) that you want to configure, available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Apr 6, 2016