KMS key rotation

AWS-KMS-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if customer-managed symmetric KMS keys have automatic key rotation enabled.

Why it matters

Without automatic rotation, encryption keys remain static indefinitely, meaning all data encrypted over the key lifetime uses the same key material. If the key material is ever compromised, all data ever encrypted with that key is at risk. AWS KMS automatic rotation creates new key material annually while keeping old versions available for decryption - a process called envelope encryption rotation. CIS AWS Benchmark 3.6 requires rotation for all customer-managed symmetric keys. The rotation is transparent to applications because KMS tracks all key versions internally. For regulatory compliance (PCI-DSS Requirement 3.6.4, NIST 800-57), key rotation is mandatory. Unlike manual rotation, automatic rotation has no risk of breaking existing encrypted data.

Common causes

Key rotation is not enabled because the default for customer-managed KMS keys is rotation disabled, and teams must explicitly turn it on. Engineers who create keys through the console often miss the rotation checkbox buried in the advanced settings. Some teams avoid rotation out of concern that rotating keys might break existing encrypted data, not realizing that KMS handles version tracking transparently.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws kms enable-key-rotation --key-id KEY_ID --region REGION

Remediation: Terraform

resource "aws_kms_key" "example" {
  enable_key_rotation = true
}

Compliance mapping

This check maps to CIS 3.6 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.