AWS Config Rule: CMK Backing Key Rotation Enabled

Description: Checks if key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK). The rule is COMPLIANT, if the key rotation is enabled for specific key object. The rule is not applicable to CMKs that have imported key material.

Note: This rule only evaluates symmetric AWS KMS; keys and ignores asymmetric AWS KMS keys.

Trigger type: Periodic

AWS Region: All supported AWS regions except Middle East (UAE), Europe (Spain) Region

To resolve this manually, head to your AWS KMS Dashboard and view your Customer Managed Keys from the left hand side panel.

From here, you can list more details about your CMK's.

Select the "Key Rotation" tab and from here, you are able to verify if Key Rotation is enabled or not. You can enable this which will then trigger AWS to generate new cryptographic material for the KMS key every year. For more information on how this works and what changes within the rotation, view the AWS Documentation.

You can resolve this with StackZone by enabling the remediation which will automatically enable rotation for your CMK keys

To do this, head on over to the config-rules -> kms -> remediation and enable the remediation by setting cmk-key-rotation-remediation = true

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here