KMS Key Does Not Have Key Rotation Enabled

Overview

Automatic key rotation is a best practice, and enabling it may help you satisfy compliance requirements (such as PCI DSS).

The AWS Developer Guide explains this feature:

When you enable automatic key rotation for a customer managed key, AWS KMS generates new cryptographic material for the KMS key every year. AWS KMS also saves the KMS key's older cryptographic material in perpetuity so it can be used to decrypt data that the KMS key encrypted. AWS KMS does not delete any rotated key material until you delete the KMS key.

Automatic key rotation is transparent to other services, and the cost of storing new keys is very low ($1 / month), so there are few reasons not to enable it in a professional environment.

Vendor

AWS

Cloud Service

KMS

PCI DSS 3.6.4

CIS AWS v1.5.0 3.8, KMS.4

Severity

Item Types

AWS::KMS::Key

Overview​

Vendor​

Cloud Service​

Related Requirements​

Related Controls​

Severity​

Item Types​

Overview

Vendor

Cloud Service

Related Requirements

Related Controls

Severity

Item Types