CMK rotation is disabled

ID

aws_cmk_rotation_disabled

Severity

high

Vendor

AWS

Resource

Encryption

Tags

reachable

Description

CMK rotation is disabled. Enable CMK key rotation to help to reduce the potential impact of a compromised key. Data encrypted with a new key cannot be accessed with a previous key, that may have been exposed.

To fix it you must configure enable_key_rotation=true, by default is false.

Learn more about this topic at AWS Rotate keys.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - amazon.aws.kms_key:
        alias: mykey
        tags:
          Name: myKey
          Purpose: protect_stuff

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - amazon.aws.kms_key:
        alias: mykey
        enable_key_rotation: true
        tags:
          Name: myKey
          Purpose: protect_stuff