How To

Enabling KMS key rotation

How to automatically enable CMK rotation for all of your AWS accounts.

Bob Tordella
5 min. read - Apr 20, 2021
How to automatically enable CMK rotation for all of your AWS accounts.

One reason encryption key rotation is important is because it prevents the possibility of a third party using large amounts of encrypted data to reverse engineer your keys. When using the AWS Key Management Service (KMS) you can rotate your keys by creating a new customer master key (CMK) and then updating an existing key alias to reference it (this is often called “manual rotation” even though it can be accomplished programmatically).

The other option is to use an AWS KMS feature called “automatic key rotation”. When automatic key rotation is enabled, AWS will automatically generate new random cryptography data every 365 days and create a new backing key. That backing key will then be appended to the list of backing keys for the given CMK. Rotation does not affect anything previously encrypted with the older keys, instead all previously used backing keys are still stored and used for decryption, but any new encryption tasks will use the new key.

Automated key rotation is a reasonable best practice for certain types of workloads, but not all and it may increase the cost of KMS. Depending on the workload, some users may consider other approaches (like alias swaps, or custom application code that does a decrypt/encrypt with a new CMK) as alternatives.

This post looks at how Turbot Guardrails can help you enable automatic key rotation across all of the CMKs in all of your AWS Accounts.

Traditional Workflow

You can use the AWS KMS console or the AWS KMS API to enable and disable automatic key rotation, and view the rotation status of any customer managed CMK. When you enable automatic key rotation, AWS KMS rotates the CMK 365 days after the enable date and every 365 days thereafter This feature can only be set after a key is created. While it is simple to configure for a few keys, when there are hundreds across many AWS accounts it becomes difficult to manage without writing your own scripts.

Get it done with Turbot Guardrails

In Turbot Guardrails, AWS KMS Key Rotation guardrails are readily available to control your cloud resource configurations. We can set the Turbot automation AWS > KMS > Key > Rotation policy in just a few clicks:

After setting this policy, Turbot Guardrails will identify all CMKs that are not enabled for AWS automatic rotation, and then handle remediation (i.e. update the key rotation configuration).

If you are not yet ready to enforce remediation, you can still assess the impact of this in your environment by setting the value to Check: Enabled at the Turbot level. You can then selectively apply the enforcement setting as desired.

Make it happen!

See for yourself how easy it is to manage your KMS key configuration across your AWS accounts. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!