KMS customer-managed symmetric CMK has automatic rotation enabled
kms_cmk_rotation_enabled
Customer-managed KMS symmetric keys in the Enabled state are evaluated to confirm automatic rotation of key material is configured
Risk
Without automatic rotation, long-lived key material increases confidentiality and integrity risk. If a KMS key is exposed, attackers can unwrap data keys and decrypt stored data until the key changes. It also reduces crypto agility and may conflict with mandated rotation policies.
prowler aws --checks kms_cmk_rotation_enabled
prowler aws --checks kms_cmk_rotation_enabled --fixer
Recommendation
Enable automatic rotation on customer-managed symmetric KMS keys and choose a rotation period that meets policy. Enforce least privilege and separation of duties for key administration versus usage. Monitor key lifecycle events and use on-demand rotation when compromise is suspected.
Remediation
aws kms enable-key-rotation --key-id <KEY_ID>
- In the AWS Console, go to Key Management Service (KMS)
- Open Customer managed keys and select the enabled symmetric key
- Go to the Key rotation section
- Check Enable automatic key rotation
- Save changes
Source Code
Resource Type
AwsKmsKey