Google Cloud Key Management Service (KMS)
      Back to home
      1. CNS Policies
      2. GCP Knowledge Base
      3. Google Cloud Key Management Service (KMS)

      Key Rotation Disabled

      Ensures that cryptographic keys are set to rotate.

      Risk Level: Low

      Description

      This plugin ensures cryptographic keys are set to rotate regularly. Google Cloud KMS provides the feature of automatically rotating keys based on a schedule.  To comply with security regulations while using symmetric encryption, key rotation must be enabled so that keys are rotated periodically.

      About the Service

      Google Cloud Key Management Service (KMS):

      The Google Cloud Key Management Service (KMS) allows you to manage your encryption keys in the cloud. You can use this service to create, rotate, utilise, and remove keys. To produce a key and assure its security, Google employs a number of cryptographic algorithms. Users can then perform operations on Google Cloud services and data based on their role and the access granted to them. To know more, read here

      Impact

      If key rotation is disabled, it poses a great threat as it increases exposure to attackers and makes it vulnerable to security breaches. In the case that a key has been decrypted by attackers, if key rotation is enabled, then the data exposed will be limited.

      Steps to Reproduce

      Using GCP Console-

      1. Log In to your GCP Console.
      2. From the top navigation bar, select your desired GCP project. 
      3. From the navigation panel on the left side of the console, go to Security under the More products section and select Key management. You can click this link here to navigate directly if you’re already logged in.
      4. In the KEY RINGS tab, select the key ring you want to verify from the list of key rings available.
      5. Select a key from the list of keys in the chosen key ring to verify its details.
      6. Check the rotation period mentioned in the Rotation period section. If it is 90 days or more, it means that key rotation for this key is not properly configured.
      7. Repeat steps 5 and 6 for all the other keys from the selected key ring.
      8. If you have multiple key rings, repeat steps 4 to 7 for each key ring in your GCP Console

      Steps for Remediation

      Determine whether or not you truly require the key rotation to be disabled. If not, make the necessary changes to enable key rotation using the steps given below.


      Using GCP Console-

      1. Log In to your GCP Console.
      2. From the top navigation bar, select your desired GCP project. 
      3. From the navigation panel on the left side of the console, go to Security under the More products section and select Key management. You can click this link here to navigate directly if you’re already logged in.
      4. In the KEY RINGS tab, select the key ring you want to verify from the list of key rings available. (In case you aren’t sure which key ring needs to be configured, follow the steps to reproduce listed above to determine which key ring to choose.)
      5. Select the desired key from the list of keys in the chosen key ring to configure its details.
      6. Click on the Edit rotation period button found on the top navigation bar.
      7. Select your desired rotation period from the dropdown list provided. You can also set your custom rotation period using the custom option in the dropdown list. Choose your desired start date and then press Save to save the changes.
      8. Repeat steps 5 to 7 for all the keys you want to reconfigure in the selected key ring.
      9. If you have multiple key rings, repeat steps 4 to 8 for each key ring you want to reconfigure in your GCP console.