Checks whether the automatic rotation feature is enabled for Key Management Service (KMS) secrets. If this feature is enabled, the configuration is considered compliant.
Scenarios
You can enable the automatic rotation feature for KMS secrets to reduce the risk of secret leaks and improve the security of the system. Make sure that your applications adapt to this feature.
Risk level
Default risk level: medium.
When you configure this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the automatic rotation feature is enabled for KMS secrets, the configuration is considered compliant.
- If the automatic rotation feature is disabled for KMS secrets, the configuration is considered non-compliant. For more information about how to remediate the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | kms-secret-rotation-enabled |
| Rule ID | kms-secret-rotation-enabled |
| Tag | KMS and Secret |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Time interval | All day |
| Supported resource type | KMS secrets |
| Input parameter | None |
Non-compliance remediation
Enable the automatic rotation feature for KMS secrets. For more information, see Rotate generic secrets.