Skip to main content
All CollectionsMonitoringTests
Test 223: AWS CMK Rotation
Test 223: AWS CMK Rotation

Drata validates that key rotation is enabled for customer-created symmetric customer master keys (CMKs) in AWS Key Management Service (KMS).

Updated over a month ago

Drata validates that key rotation is enabled for customer-created symmetric customer master keys (CMKs) in AWS Key Management Service (KMS).

Prerequisites

  • Requires CMKs to have the following permissions to be monitored:

    • kms:ListKeys

    • kms:DescribeKey

    • kms:GetKeyRotationStatus

    • To add the necessary permissions for auto-rotation monitoring in the key policy of each CMK:

      1. Navigate to AWS Key Management Service (KMS) in the AWS Console.

      2. Select the Customer managed keys from the side menu.

      3. Select each CMK that requires monitoring (repeat the following steps for each key).

      4. Navigate to the Key policy tab.

      5. Edit the Key Policy JSON by adding a new statement or modifying an existing one:

        • Ensure that permissions for kms:ListKeys, kms:DescribeKey, and kms:GetKeyRotationStatus are included in the Action property.

        • Ensure the Principal is specified as arn:aws:iam::<Account-ID>:role/DrataAutopilotRole. "<Account-ID> " must be replaced with your AWS Account ID.

        • To scope the permissions to specific keys, use the key ARN(s) in the Resource property. Alternatively, set the Resource to * to apply to all CMKs

ASSOCIATED DRATA CONTROL

This test is part of the Cryptographic Key Rotation control (DCF-779) that ensures your company has implemented processes to change cryptographic keys periodically based on a defined schedule.

WHAT TO DO IF A TEST FAILS

If Drata finds that automatic rotation is not enabled for one or more CMKs in AWS KMS, the test will fail.

Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed. Keys should be rotated every year, or upon an event that would result in the compromise of that key. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.

STEPS TO REMEDIATE

From the KMS console, under 'Customer-managed keys', select the key without automatic rotation enabled and check the 'Automatically rotate this KMS key every year' checkbox.

Center for Internet Security (CIS)

This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.

Did this answer your question?