🛡️ Google KMS Crypto Key is not rotated every 90 days🟢

Contextual name: 🛡️ Crypto Key is not rotated every 90 days🟢
ID: /ce/ca/google/kms/kms-key-rotation
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Google Cloud KMS Crypto Key
- 🔌 Google Cloud KMS Crypto Key - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: Rotate Google Cloud KMS Keys

Description

Description

Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for consistent access control management.

The format for the rotation schedule depends on the client library used. For the gcloud CLI, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be seconds (s), minutes (m), hours (h), or days (d).

Rationale

Set a key rotation period and starting time. A key can be created with a specified rotation period, which is the time between automatic generation of new key versions. A key can also be created with a specified next rotation time. A key is a named object representing a cryptographic key used for a specific purpose. The key material, the actual bits used for encryption, can change over time as new key versions are created.

A key is used to protect a set of data. A collection of files could be encrypted with the same key, and people with decrypt permissions on that key would be able to decrypt those files. Therefore, it is necessary to make sure the rotation period is set to a specific time.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

Go to Cryptographic Keys by visiting: https://console.cloud.google.com/security/kms.

Click the specific key ring.

From the list of keys, select the key and click the More actions menu (three dots).

Click on Edit rotation period.

In the dialog, select a new rotation period in days that is less than 90, then choose the Starting on date.

From Google Cloud CLI
Update and schedule rotation by ROTATION_PERIOD and NEXT_ROTATION_TIME for each key:
gcloud kms keys update new \
    --keyring={{key-ring}} \
    --location=LOCATION \
    --next-rotation-time={{next-rotation-time}} \
    --rotation-period={{rotation-period}}

policy.yaml

Open File

Linked Framework Sections

Section	Policies	Compliance
💼 CIS GCP v1.2.0 → 💼 1.10 Ensure KMS encryption keys are rotated within a period of 90 days - Level 1 (Automated)	1	no data
💼 CIS GCP v1.3.0 → 💼 1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days - Level 1 (Automated)	1	no data
💼 CIS GCP v2.0.0 → 💼 1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days - Level 1 (Automated)	1	no data
💼 CIS GCP v3.0.0 → 💼 1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days - Level 1 (Automated)	1	no data
💼 Cloudaware Framework → 💼 Expiration Management	20	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Remediation​

Remediation​

From Google Cloud Console​

From Google Cloud CLI​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Remediation

Remediation

From Google Cloud Console

From Google Cloud CLI

policy.yaml

Linked Framework Sections