More Info:

When you enable automatic key rotation, AWS KMS rotates the CMK 365 days after the enable date and every 365 days thereafter.

Risk Level

Medium

Address

Security

Compliance Standards

HIPAA, GDPR, NIST, HITRUST, AWSWAF, CISAWS, CBP, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the KMS Key Rotation misconfiguration in AWS using the AWS console:
  1. Log in to your AWS Management Console.
  2. Navigate to the AWS Key Management Service (KMS) dashboard.
  3. Select the KMS key that needs to be remediated.
  4. Click on the “Key policy” button to view the key policy.
  5. In the key policy, locate the “KeyRotationEnabled” statement. If it is not present, add it to the key policy.
  6. Set the value of “KeyRotationEnabled” to “true”.
  7. Click on the “Save changes” button to save the updated key policy.
After completing these steps, KMS key rotation will be enabled for the selected key. It is recommended to perform this remediation for all KMS keys used in your AWS environment.

To remediate the misconfiguration “KMS Key Rotation Should Be Enabled” for AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine or in the AWS Management Console.
  2. Check if the KMS key rotation is enabled or not using the following command: 
aws kms get-key-rotation-status --key-id <key-id>
Note: Replace <key-id> with the ID of the KMS key for which you want to check the rotation status.
  1. If the key rotation is not enabled, enable it using the following command:
aws kms enable-key-rotation --key-id <key-id>
Note: Replace <key-id> with the ID of the KMS key for which you want to enable the rotation.
  1. Verify if the key rotation is enabled using the following command:
aws kms get-key-rotation-status --key-id <key-id>
Note: Replace <key-id> with the ID of the KMS key for which you want to check the rotation status.
  1. Repeat steps 2-4 for all the KMS keys in your AWS account.
By following these steps, you can remediate the misconfiguration “KMS Key Rotation Should Be Enabled” for AWS using AWS CLI.
To remediate KMS Key Rotation Should Be Enabled in AWS, you can use the following steps in Python:
  1. Import the necessary libraries:
import boto3
  1. Create a boto3 client for AWS Key Management Service:
kms_client = boto3.client('kms')
  1. Get a list of all KMS keys:
keys = kms_client.list_keys()
  1. Loop through each key and check if key rotation is enabled:
for key in keys['Keys']:
    key_id = key['KeyId']
    key_rotation_status = kms_client.get_key_rotation_status(KeyId=key_id)
    if not key_rotation_status['KeyRotationEnabled']:
        # Enable key rotation
        kms_client.enable_key_rotation(KeyId=key_id)
  1. Save the Python script and run it to enable key rotation for all KMS keys.
Note: Make sure you have appropriate AWS credentials with required permissions to perform this operation.

Additional Reading: