KMS key does not have key rotation enabled Affecting KMS service in AWS

Snyk CCSS

Keys and Secrets / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-AWS CIS-Controls CSA-CCM ISO-27001 PCI-DSS SOC-2

Snyk ID SNYK-CC-00032
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Automatic key rotation should be enabled for all symmetric encryption KMS keys. Key rotation does not require any change to applications that are using the key, so it is safe to enable at any time. This helps reduce the exposure window should the key material be leaked.

How to fix?

Set the aws_kms_key enable_key_rotation field to true.

Example Configuration

resource "aws_kms_key" "example" {
  enable_key_rotation = true
  # other required fields here
}

KMS key does not have key rotation enabled Affecting KMS service in AWS

Severity

Description

How to fix?

Example Configuration

References