Skip to main content

πŸ“ AWS KMS Symmetric CMK Rotation is not enabled 🟒

  • Contextual name: πŸ“ Symmetric CMK Rotation is not enabled 🟒
  • ID: /ce/ca/aws/kms/symmetric-cmk-rotation
  • Located in: πŸ“ AWS KMS

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-4d6fee7a1

Logic​

Description​

Open File

Description​

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the customer-created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.

Rationale​

Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon event that would result in the compromise of that key.

Impact​

Creation, management, and storage of CMKs may require additional time from an administrator.

Audit​

From Console​
  1. Sign in to the AWS Management Console and open the KMS console at: https://console.aws.amazon.com/kms.

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Sign in to the AWS Management Console and open the KMS console at: https://console.aws.amazon.com/kms.
  2. In the left navigation pane, click Customer-managed keys.
  3. Select a key where Key spec = SYMMETRIC_DEFAULT that does not have automatic rotation enabled.
  4. Select the Key rotation tab.
  5. Check the Automatically rotate this KMS key every year checkbox.
  6. Click Save.
  7. Repeat steps 3–6 for all customer-managed CMKs that do not have automatic rotation enabled.

From Command Line​

  1. Run the following command to enable key rotation:
aws kms enable-key-rotation --key-id <kms_key_id>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of the security of cryptographic keys. Any compromise of the security of cryptographic keys could, in turn, lead to a compromise of the security of the information assets protected by the cryptographic technique deployed.67
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.88
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1516
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.810
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό d. predefined activation and deactivation dates for cryptographic keys, limiting the period of time they remain valid for use. The period of time a cryptographic key remains valid would be commensurate with the risk;34
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 2.8 Ensure rotation for customer created CMKs is enabled11
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.8 Ensure rotation for customer created CMKs is enabled11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.8 Ensure rotation for customer created CMKs is enabled11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.8 Ensure rotation for customer created symmetric CMKs is enabled - Level 2 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.8 Ensure rotation for customer created symmetric CMKs is enabled - Level 2 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.6 Ensure rotation for customer-created symmetric CMKs is enabled - Level 2 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.6 Ensure rotation for customer-created symmetric CMKs is enabled (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.6 Ensure rotation for customer-created symmetric CMKs is enabled (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.6 Ensure rotation for customer-created symmetric CMKs is enabled (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Expiration Management12
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61420
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1911
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)512
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)120
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)12
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)420
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)12
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.4 Management of secret authentication information of users810
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.2 Key management911
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.33 Protection of records1010
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated3033
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations1619
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1519
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1421
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1720
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-2: Incidents are reported consistent with established criteria2023
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-10: Critical suppliers are assessed prior to acquisition26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties57
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected81
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected68
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents30
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated22
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-2 (7) ROLE-BASED SCHEMES11
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS11
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING1022
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1012
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-10 Uses Encryption to Protect Data66
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-11 Protects Encryption Keys68