AWS-026 Amazon Web Services (AWS)

Automatic rotation is enabled on KMS customer keys.

Automatic rotation is enabled on KMS customer keys.

Domain
Amazon Web Services (AWS)
Area
Key Management
Automated / manual
Automated

Risk if it fails

Long-lived keys increase impact of key compromise.

If a key is ever exposed and never rotated, the attacker can decrypt data indefinitely. Rotation limits how much a single stolen key can unlock.

How Tess tests it

1 test — each concludes only on cited evidence.

Automatic rotation is enabled on KMS customer keys.

Automated
Procedure
List CMKs and confirm key rotation status.

Read-only command 

for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do aws kms get-key-rotation-status --key-id $k; done

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-026 against your evidence?

Book a demo