AWS Config Rule: CMK Backing Key Rotation Enabled

CMK_BACKING_KEY_ROTATION_ENABLED

Ryan Ware

Last Update hace 2 meses

Description: Checks if key rotation is enabled for each key and matches to the key ID of the customer created customer master key (CMK). The rule is COMPLIANT, if the key rotation is enabled for specific key object. The rule is not applicable to CMKs that have imported key material.


Note: This rule only evaluates symmetric AWS KMS; keys and ignores asymmetric AWS KMS keys.


Trigger type: Periodic


AWS Region: All supported AWS regions


How to Resolve Manually 

To resolve this manually, head to your AWS KMS Dashboard and view your Customer Managed Keys from the left hand side panel.


From here, you can list more details about your CMK's.


Select the "Key Rotation" tab and from here, you are able to verify if Key Rotation is enabled or not. You can enable this which will then trigger AWS to generate new cryptographic material for the KMS key every year. For more information on how this works and what changes within the rotation, view the AWS Documentation.


How to Resolve with StackZone

You can resolve this with StackZone by enabling the remediation which will automatically enable rotation for your CMK keys


To do this, head on over to the config-rules -> kms -> remediation and enable the remediation by setting cmk-key-rotation-remediation = true


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us