KMS keys are not automatically rotated Affecting Cloud KMS service in Google


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Keys and Secrets/ Lifecycle

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
CIS-Google
  • Snyk IDSNYK-CC-00350
  • creditSnyk Research Team

Description

Cloud KMS (Key Management Service) keys should be rotated frequently because rotation helps reduce the potential impact of a compromised key as users cannot use the old key to access the data.

How to fix?

Set rotation_period attribute to a number lower than 7776000s (90 days).

Example Configuration

resource "google_kms_crypto_key" "valid_rotation" {
  name            = "valid-rotating-key"
  key_ring        = google_kms_key_ring.test.id
  rotation_period = "86400s"
}

References