KMS encryption keys should be rotated every 90 days or less

ID

gcp_high_kms_crypto_key_rotation_period

Severity

low

Vendor

GCP

Resource

Secrets

Tags

reachable

Description

The recommended rotation_period for a Cloud KMS key ring is 90 days or less.

A short lifetime of encryption keys reduces the potential blast radius in case of compromise.

To fix it, you must configure the rotation_period with a value equal or less to 7776000s for the KMS crypto key definition.

Learn more about this topic at Create a VPC-native cluster.

Examples

---
- name: key ring
  google.cloud.gcp_kms_key_ring:
    name: key-ring
    location: us-central1
    project: '{{ gcp_project }}'
    auth_kind: '{{ gcp_cred_kind }}'
    service_account_file: '{{ gcp_cred_file }}'
    state: present
  register: keyring

- name: create a crypto key
  google.cloud.gcp_kms_crypto_key:
    name: test_object
    key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-ring
    project: test_project
    auth_kind: serviceaccount
    rotation_period: 10510000s
    service_account_file: /tmp/auth.pem
    state: present

Mitigation / Fix

---
- name: key ring
  google.cloud.gcp_kms_key_ring:
    name: key-ring
    location: us-central1
    project: '{{ gcp_project }}'
    auth_kind: '{{ gcp_cred_kind }}'
    service_account_file: '{{ gcp_cred_file }}'
    state: present
  register: keyring

- name: create a crypto key
  google.cloud.gcp_kms_crypto_key:
    name: test_object
    key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-ring
    project: test_project
    auth_kind: serviceaccount
    rotation_period: 7776000s
    service_account_file: /tmp/auth.pem
    state: present