Checks whether the automatic rotation feature is enabled for Key Management Service (KMS) secrets and whether automatic rotation is performed based on the specified rotation period. If so, the evaluation result is Compliant. This rule does not apply to generic secrets because periodic key rotation cannot be enabled for a generic secret in KMS.
Scenarios
You can enable the automatic rotation feature for KMS secrets to reduce the risk of secret leaks and improve the security of the system. Make sure that your applications adapt to the automatic rotation feature.
Risk level
Default risk level: high.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
Checks whether the automatic rotation feature is enabled for KMS secrets and whether automatic rotation is performed based on the specified rotation period. If so, the evaluation result is Compliant.
This rule does not apply to generic secrets because periodic key rotation cannot be enabled for a generic secret in KMS.
Rule details
Parameter | Description |
Rule Template Name | kms-secret-last-rotation-date-check |
Rule Template Identifier | |
Tag | Secret |
Automatic remediation | Not supported |
Invoke Type | Periodic: Every 24 hours |
Supported resource type | KMS secret (ACS::KMS::Secret) |
Input parameter | N/A |
Non-compliance remediation
Enable the automatic rotation feature for KMS secrets and perform automatic rotation based on the specified rotation period. For more information, see Overview.