---
names:
  full: AWS KMS Symmetric CMK Rotation is not enabled
  contextual: Symmetric CMK Rotation is not enabled
description: AWS KMS allows customers to rotate the backing key which is key material
  stored within the KMS which is tied to the key ID of the customer-created CMK. It
  is the backing key that is used to perform cryptographic operations such as encryption
  and decryption. Automated key rotation currently retains all prior backing keys
  so that decryption of encrypted data can take place transparently. It is recommended
  that CMK key rotation be enabled for symmetric keys.
type: COMPLIANCE_POLICY
categories:
  - "SECURITY"
  - "RELIABILITY"
frameworkMappings:
  - "/frameworks/cis-aws-v6.0.0/04/06"
  - "/frameworks/cloudaware/secret-and-certificate-governance/expiration-management"
  - "/frameworks/aws-well-architected/sec/08/01"
  - "/frameworks/aws-well-architected/sec/09/01"
  - "/frameworks/nist-sp-800-53-r5/sc/12"
  - "/frameworks/nist-sp-800-53-r5/sc/12/02"
  - "/frameworks/nist-sp-800-53-r5/sc/28/03"
  - "/frameworks/pci-dss-v3.2.1/03/06/04"
  - "/frameworks/pci-dss-v4.0.1/03/07/04"
similarPolicies:
  internal:
    - dec-x-4d6fee7a
  cloudConformity:
    - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/KMS/key-rotation-enabled.html
      name: Key Rotation Enabled