AWS Key Management Service (KMS)
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. AWS Key Management Service (KMS)

      KMS Key Rotation Disabled

      Risk Level: Medium

      Description

      This plugin ensures KMS keys rotation is set on a regular schedule. KMS key rotation ensures that extensive reuse of encryption keys are not allowed. Cryptographic best practice discourages repetition of encryption keys for a long period of time. The primary properties of the KMS key, such as its key ID, key ARN, region, policies, and permissions, do not change on key rotation.

      About the Service

      AWS Key Management Service (KMS): AWS KMS is a storehouse of cryptographic keys that can be easily utilized by your AWS resources and applications. Encryption with KMS keys ensures that your resources and applications are secured with centralized management. Logs can also be generated to audit key usage across various services. All the keys are properly secured by AWS KMS.

      Impact

      Key rotation minimizes the chance of exposure to an attacker. Since a new cryptographic key will be generated on a regular basis, it will become difficult for an attacker to decode the key. It is recommended to rotate KMS keys automatically.

      Steps to Reproduce

      Using AWS Console-

      1. Log In to your AWS Console.
      2. Open the AWS KMS Console. You can use this link (https://console.aws.amazon.com/kms/) to navigate directly if already logged in. 
      3. From the left navigation pane, click on Customer-managed keys.
      4. A list of CMK keys in the region will be displayed. Select the key you want to examine by clicking on it’s Key ID.
      5. Move to the Key rotation tab.
      6. Check the value of Automatically rotate this KMS key every year. If it is left unchecked, the vulnerability exists. 
      7. Repeat steps for all the keys you wish to examine.

      Steps for Remediation

      Enable yearly rotation for the KMS key.

      1. Log In to your AWS Console.
      2. Open the AWS KMS Console. You can use this link (https://console.aws.amazon.com/kms/) to navigate directly if already logged in. 
      3. From the left navigation pane, click on Customer-managed keys.
      4. A list of CMK keys in the region will be displayed. Select the vulnerable key by clicking on it’s Key ID.
      5. Move to the Key rotation tab.
      6. Enable Automatically rotate this KMS key every year by enabling the checkbox next to it.
      7. Repeat steps for all the vulnerable keys.