Risk Level: Low
Cloud Entity: AWS Key Management Service (KMS)
CloudGuard Rule ID: D9.AWS.LOG.09
Category: Security, Identity, & Compliance
KMS where isCustomerManaged=true and deletionDate<=0 and isSymmetricKey=true should have rotationStatus=true
1.Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.
2.To change the AWS Region, use the Region selector in the upper-right corner of the page.
3.In the navigation pane, choose Customer managed keys.
4.Choose the alias or key ID of a KMS key.
5.Choose the Key rotation tab.
6.Select the 'Automatically rotate this KMS key every year' check box.
From Command Line
aws kms enable-key-rotation --key-id MY_KEY_ID
Attribute: EnableKeyRotation should be set to true
Type: AWS::KMS::Key Properties: ... EnableKeyRotation: true ...
- CIS Amazon Web Services Foundations Benchmark v1.3.0 https://workbench.cisecurity.org/benchmarks/679
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses FIPS 140-2 validated hardware security modules to protect the security of your keys. AWS Key Management Service is integrated with most other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
- AWS CIS Foundations v. 1.1.0
- AWS CIS Foundations v. 1.2.0
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CSA CCM v.3.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard CheckUp
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS GDPR Readiness
- AWS HIPAA
- AWS HITRUST
- AWS ISO 27001:2013
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
Updated 6 months ago