When we enable the key rotation it would reduce the chance that a compromised customer master key (CMK) could be used without your knowledge to access AWS resources.
AWS Keys Rotation: How can we check if Key Rotation is enabled?
To determine if your customer master keys have Key Rotation enabled, perform the following:
A) Sign in to the AWS Management Console.
B) Navigate to IAM dashboard
c) In the left navigation panel, click Encryption Keys.
D) Select the appropriate AWS region from the Filter menu.
E) Select the alias of the CMK that you need to check under Alias column.
F) And check the Rotate this key every year switch status under Key Rotation section:
How we enable AWS key Rotation ?
To enable AWS KMS Key Rotation, you need to perform the following:
1 ) Run list-keys command to list all your customer master keys:
aws kms list-keys
2) The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region:
{<br> "Keys": [<br> {<br> "KeyArn": "arn:aws:kms:us-west-2:1234567812345:<br> key/8e1a0a1b-fa71-4077-8fde-e4cab5f1458c",<strong class="markup--strong markup--pre-strong"><br> "KeyId": "4t3d0t3b-ta35-4077-8fde-e4cab4rw369d"</strong><br> }<br> ]<br>}
3) Run enable-key-rotation command using the CMK ID as parameter to enable Key Rotation for the selected key:
aws kms enable-key-rotation<br> --key-id <strong class="markup--strong markup--pre-strong">4t3d0t3b-ta35-4077-8fde-e4cab4rw369d</strong>
4 ) Run get-key-rotation-status command to make sure that the Key Rotation feature has been enabled:
aws kms get-key-rotation-status<br> --key-id <strong class="markup--strong markup--pre-strong">4t3d0t3b-ta35-4077-8fde-e4cab4rw369d</strong>
5) The command output should return the Key Rotation status for the selected CMK (true for enabled, false for disabled):
{<strong class="markup--strong markup--pre-strong"><br> "KeyRotationEnabled": false</strong><br>}
Thanks. Please free to leave comments below or reach us out at [email protected].