Checks whether the automatic rotation feature is enabled for Key Management Service (KMS) customer master keys (CMKs). If this feature is enabled, the configuration is considered compliant.
Scenarios
You can enable the automatic rotation feature for KMS CMKs to reduce the risk of CMK leaks and improve the security of the system. Make sure that your applications adapt to this feature.
Risk level
Default risk level: medium.
When you configure this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the automatic rotation feature is enabled for KMS CMKs, the configuration is considered compliant.
- If the automatic rotation feature is disabled for KMS CMKs, the configuration is considered non-compliant. For more information about how to remediate the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | kms-key-rotation-enabled |
| Rule ID | kms-key-rotation-enabled |
| Tag | KMS and CMK |
| Automatic remediation | Supported |
| Trigger type | Configuration change |
| Supported resource type | KMS CMKs |
| Input parameter | None |
Non-compliance remediation
Enable the automatic rotation feature for KMS CMKs. For more information, see Automatic key rotation.