When we enable the key rotation it would reduce the chance that a compromised (CMK) could be used without your knowledge to access AWS resources. customer master key How can we check if Key Rotation is enabled? AWS Keys Rotation: To determine if your have Key Rotation enabled, perform the following: customer master keys A) Sign in to the AWS Management Console. B) Navigate to IAM dashboard c) In the left navigation panel, click Encryption Keys. D) Select the appropriate AWS region from the Filter menu. E) Select the alias of the CMK that you need to check under Alias column. F) And check the switch status under section: Rotate this key every year Key Rotation How we enable AWS key Rotation ? To enable , you need to perform the following: AWS KMS Key Rotation 1 ) Run command to list all your customer master keys: list-keys aws kms - list keys 2) The command output should return the ARN (Amazon Resource Name) and the ID for each CMK created in your current AWS region: { : [ { : , : } ] } <br> "Keys" <br> <br> "KeyArn" "arn:aws:kms:us-west-2:1234567812345:<br> key/8e1a0a1b-fa71-4077-8fde-e4cab5f1458c" <strong class="markup--strong markup--pre-strong"> <br> "KeyId" "4t3d0t3b-ta35-4077-8fde-e4cab4rw369d" </strong> <br> <br> <br> 3) Run command using the CMK ID as parameter to enable Key Rotation for the selected key: enable-key-rotation aws kms enable- - <br> -- -id <strong class= > t3d0t3b-ta35 fde-e4cab4rw369d</strong> key rotation key "markup--strong markup--pre-strong" 4 -4077 -8 4 ) Run command to make sure that the Key Rotation feature has been enabled: get-key-rotation-status < > / aws kms get-key-rotation-status<br> --key-id strong class= "markup--strong markup--pre-strong" 4t3d0t3b-ta35- 4077-8fde- e4cab4rw369d< strong> 5) The command output should return the Key Rotation status for the selected CMK (true for enabled, false for disabled): {<strong = > class "markup--strong markup--pre-strong" "KeyRotationEnabled": false < > br </ > strong } < > br Thanks. Please free to leave comments below or reach us out at advocatedevops@gmail.com .
