Ensure rotation for customer created CMKs is enabled

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.

Risk Level: Low
Cloud Entity: AWS Key Management Service (KMS)
CloudGuard Rule ID: D9.AWS.LOG.09
Category: Security, Identity, & Compliance


KMS where isCustomerManaged=true and deletionDate<=0 and isSymmetricKey=true should have rotationStatus=true


From console
1.Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.
2.To change the AWS Region, use the Region selector in the upper-right corner of the page.
3.In the navigation pane, choose Customer managed keys.
4.Choose the alias or key ID of a KMS key.
5.Choose the Key rotation tab.
6.Select the 'Automatically rotate this KMS key every year' check box.

From Command Line

aws kms enable-key-rotation --key-id MY_KEY_ID

From CFT

Attribute: EnableKeyRotation should be set to true

Type: AWS::KMS::Key
EnableKeyRotation: true


  1. CIS Amazon Web Services Foundations Benchmark v1.3.0 https://workbench.cisecurity.org/benchmarks/679
  2. enable-key-rotation;

AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses FIPS 140-2 validated hardware security modules to protect the security of your keys. AWS Key Management Service is integrated with most other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Compliance Frameworks

  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2