Skip to main content

⭐ Repository β†’ πŸ“ Compliance Engine β†’ πŸ“ CloudAware β†’ πŸ“ AWS β†’ πŸ“ KMS

πŸ›‘οΈ AWS KMS Symmetric CMK Rotation is not enabled🟒

  • Contextual name: πŸ›‘οΈ Symmetric CMK Rotation is not enabled🟒
  • ID: /ce/ca/aws/kms/symmetric-cmk-rotation
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-4d6fee7a1

Description​

Open File

Description​

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the customer-created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.

Rationale​

Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.

Impact​

Creation, management, and storage of CMKs may require additional time from an administrator.

Audit​

From Console​
  1. Sign in to the AWS Management Console and open the KMS console at: https://console.aws.amazon.com/kms.

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Sign in to the AWS Management Console and open the KMS console at: https://console.aws.amazon.com/kms.
  2. In the left navigation pane, click Customer-managed keys.
  3. Select a key where Key spec = SYMMETRIC_DEFAULT that does not have automatic rotation enabled.
  4. Select the Key rotation tab.
  5. Check the Automatically rotate this KMS key every year checkbox.
  6. Click Save.
  7. Repeat steps 3–6 for all customer-managed CMKs that do not have automatic rotation enabled.

From Command Line​

  1. Run the following command to enable key rotation:
aws kms enable-key-rotation --key-id <kms_key_id>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of the security of cryptographic keys. Any compromise of the security of cryptographic keys could, in turn, lead to a compromise of the security of the information assets protected by the cryptographic technique deployed.67no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.88no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1616no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.810no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό d. predefined activation and deactivation dates for cryptographic keys, limiting the period of time they remain valid for use. The period of time a cryptographic key remains valid would be commensurate with the risk;34no data
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 2.8 Ensure rotation for customer created CMKs is enabled11no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.8 Ensure rotation for customer created CMKs is enabled11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.8 Ensure rotation for customer created CMKs is enabled11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.8 Ensure rotation for customer created symmetric CMKs is enabled - Level 2 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.8 Ensure rotation for customer created symmetric CMKs is enabled - Level 2 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.6 Ensure rotation for customer-created symmetric CMKs is enabled - Level 2 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.6 Ensure rotation for customer-created symmetric CMKs is enabled (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.6 Ensure rotation for customer-created symmetric CMKs is enabled (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.6 Ensure rotation for customer-created symmetric CMKs is enabled (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 4.6 Ensure rotation for customer-created symmetric CMKs is enabled (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Expiration Management12no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61432no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1911no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)514no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)132no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)432no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.4 Management of secret authentication information of users810no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.2 Key management911no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.33 Protection of records1015no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1823no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1837no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated2932no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations1519no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1930no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1528no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1631no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1632no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1823no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-2: Incidents are reported consistent with established criteria1922no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities31no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources46no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools32no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis37no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-10: Critical suppliers are assessed prior to acquisition26no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization38no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated32no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties91no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected117no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected97no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging22no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents30no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated24no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-2 (7) ROLE-BASED SCHEMES22no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS11no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING1022no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1014no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1821no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.221no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.2921no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-10 Uses Encryption to Protect Data611no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-11 Protects Encryption Keys69no data