KMS key does not have key rotation enabled Affecting KMS service in AWS


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Keys and Secrets/ Best Practices

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
AWS-Well-ArchitectedCIS-AWSCIS-ControlsCSA-CCMISO-27001PCI-DSSSOC-2
  • Snyk IDSNYK-CC-00032
  • creditSnyk Research Team

Description

Automatic key rotation should be enabled for all symmetric encryption KMS keys. Key rotation does not require any change to applications that are using the key, so it is safe to enable at any time. This helps reduce the exposure window should the key material be leaked.

How to fix?

Set the aws_kms_key enable_key_rotation field to true.

Example Configuration

resource "aws_kms_key" "example" {
  enable_key_rotation = true
  # other required fields here
}