KMS Customer-Managed Symmetric CMK Has Automatic Rotation Enabled
Overview
This check verifies that your customer-managed symmetric KMS keys have automatic key rotation enabled. AWS Key Management Service (KMS) lets you create encryption keys to protect your data. Enabling automatic rotation ensures that the cryptographic material (the actual key used for encryption) is refreshed regularly without any action on your part.
Risk
If automatic rotation is not enabled:
- Prolonged key exposure: The same cryptographic material is used indefinitely, increasing the risk if it becomes compromised
- Compliance violations: Many security frameworks (PCI-DSS, HIPAA, SOC 2) require regular key rotation
- Limited cryptographic agility: Without rotation, you lose the ability to quickly respond to potential key compromise
- Data at risk: If a non-rotated key is compromised, all data encrypted with that key remains vulnerable until manually rotated
Remediation Steps
Prerequisites
You need access to the AWS Console or AWS CLI with permissions to manage KMS keys. Specifically, you need the kms:EnableKeyRotation permission on the target key.
AWS Console Method
- Sign in to the AWS Console
- Navigate to Key Management Service (search "KMS" in the search bar)
- In the left sidebar, click Customer managed keys
- Click on the key that needs rotation enabled
- Scroll down to the Key rotation section
- Click Edit
- Check the box for Automatically rotate this KMS key every year
- Click Save
That's it! AWS will now automatically rotate the key material approximately every 365 days.
AWS CLI (optional)
Enable rotation on a specific key:
aws kms enable-key-rotation \
--key-id <your-key-id> \
--region us-east-1
Replace <your-key-id> with either:
- The key ID (e.g.,
1234abcd-12ab-34cd-56ef-1234567890ab) - The key ARN (e.g.,
arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab)
Set a custom rotation period (90 to 2560 days):
aws kms enable-key-rotation \
--key-id <your-key-id> \
--rotation-period-in-days 180 \
--region us-east-1
List all keys to find the one you need:
aws kms list-keys --region us-east-1
Check current rotation status:
aws kms get-key-rotation-status \
--key-id <your-key-id> \
--region us-east-1
CloudFormation (optional)
Use this template to create a new KMS key with automatic rotation enabled:
AWSTemplateFormatVersion: '2010-09-09'
Description: KMS Key with automatic rotation enabled
Parameters:
KeyAlias:
Type: String
Description: Alias for the KMS key
Default: my-kms-key
Resources:
KMSKey:
Type: AWS::KMS::Key
Properties:
Description: Customer-managed KMS key with automatic rotation
EnableKeyRotation: true
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
Tags:
- Key: Purpose
Value: Encryption
KMSKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: !Sub 'alias/${KeyAlias}'
TargetKeyId: !Ref KMSKey
Outputs:
KeyId:
Description: The ID of the KMS key
Value: !Ref KMSKey
KeyArn:
Description: The ARN of the KMS key
Value: !GetAtt KMSKey.Arn
Deploy the stack:
aws cloudformation create-stack \
--stack-name kms-key-with-rotation \
--template-body file://template.yaml \
--region us-east-1
Note: To enable rotation on an existing key managed by CloudFormation, update the EnableKeyRotation property to true and run a stack update.
Terraform (optional)
Use this configuration to create a KMS key with automatic rotation:
# KMS Key with automatic rotation enabled
variable "key_alias" {
description = "Alias for the KMS key"
type = string
default = "my-kms-key"
}
variable "tags" {
description = "Tags to apply to the KMS key"
type = map(string)
default = {}
}
resource "aws_kms_key" "main" {
description = "Customer-managed KMS key with automatic rotation"
enable_key_rotation = true
deletion_window_in_days = 30
tags = merge(
var.tags,
{
Purpose = "Encryption"
}
)
}
resource "aws_kms_alias" "main" {
name = "alias/${var.key_alias}"
target_key_id = aws_kms_key.main.key_id
}
output "key_id" {
description = "The ID of the KMS key"
value = aws_kms_key.main.key_id
}
output "key_arn" {
description = "The ARN of the KMS key"
value = aws_kms_key.main.arn
}
To enable rotation on an existing key, add or update the enable_key_rotation argument:
resource "aws_kms_key" "existing" {
# ... other configuration ...
enable_key_rotation = true
}
Verification
After enabling rotation, verify it worked:
- In the AWS Console, go back to KMS > Customer managed keys
- Click on your key
- In the Key rotation section, confirm it shows Enabled
CLI verification commands
aws kms get-key-rotation-status \
--key-id <your-key-id> \
--region us-east-1
Expected output when rotation is enabled:
{
"KeyRotationEnabled": true,
"NextRotationDate": "2025-01-15T00:00:00+00:00",
"RotationPeriodInDays": 365
}
Re-run Prowler to confirm the fix:
prowler aws --check kms_cmk_rotation_enabled --region us-east-1
Additional Resources
- Rotating AWS KMS keys
- AWS KMS concepts
- AWS KMS best practices
- AWS::KMS::Key CloudFormation resource
- Terraform aws_kms_key resource
Notes
- Automatic rotation only applies to symmetric encryption keys. Asymmetric keys, HMAC keys, keys with imported key material, and keys in custom key stores cannot be automatically rotated.
- Rotation does not re-encrypt existing data. AWS KMS keeps the old key material so it can still decrypt data encrypted before the rotation. New encryption operations use the new key material.
- AWS-managed keys rotate automatically every year and cannot be configured. This check only applies to customer-managed keys.
- Multi-Region keys: To enable rotation on multi-Region keys, you must set the property on the primary key.
- Default rotation period is 365 days, but you can set a custom period between 90 and 2560 days using the CLI or API.
- On-demand rotation: If you suspect a key has been compromised, you can perform an immediate on-demand rotation using
aws kms rotate-key-on-demandwithout waiting for the scheduled rotation.