AWS KMS Key Rotation – How does it impact your cloud security?

AWS KMS Key Rotation - Cloud Security

Cloud security refers to a set of policies, technologies or controls that are used to protect data, applications and associated infrastructure. Organizations want their deployed resources and workload to be safe from any potential security threat. AWS KMS (Key Management Service) provides security in terms of encryption to your cloud resources in AWS.

What is Key Management Service (KMS)?

AWS KMS (Key Management Service) is an encryption service provided by AWS that enables the user to easily encrypt their data. KMS provides a key storage management solution so that data can be encrypted across AWS services and resources within a single AWS account. The easiest method to get started on KMS is to check off the box to encrypt your data within supported AWS services. In this case, default keys created by AWS in user’s account are used. KMS also allows users to create their own keys or CMKs (Customer Master Keys) to have further control over the management of their AWS resources. KMS assigns keys to be used in supported services of AWS when creating encrypted resources and also allows to use them directly within existing applications. It also gives the provision of usage policies to configure which user can use which key to encrypt or decrypt data.

Why KMS key rotation is necessary for AWS users?

The best cryptographic practices do not encourage excessive use of old CMK. It is highly recommended to rotate your CMK’s to ensure the security of your cloud infrastructure. When automatic key rotation is enabled, KMS generates new cryptographic material every 365 days and retains the older cryptographic material (old key). In this way, both keys can be used to encrypt or decrypt data. There are various benefits of enabling automatic rotation of CMK. Properties of CMK’s such as key ID, key ARN, policies, permissions do not change. It is not required by the user to remember any schedule or calendar to update CMK.

How does Centilytics assist you in ensuring security through KMS?

Centilytics recommends focusing on timely rotation and management of keys to ensure higher security levels of your cloud environment. A dedicated insight is provided which on KMS key rotation checks whether key rotation for your AWS account is enabled or not.

Insight descriptions

There can be 2 possible scenarios:

Severity Description
OK This indication will be shown when key rotation is enabled for the corresponding CMK created by AWS user i.e. CMK will be rotated automatically in 365 days by AWS.
AWS EBS PUBLIC SNAPSHOTCRITICAL This indication will be shown when key rotation is disabled for the corresponding CMK created by AWS user i.e. CMK will not be rotated automatically by AWS.


Description of further columns are as follows:

  1. Account Id: This column shows the respective account ID of the user’s account.AWS KMS Key Rotation-ss1
  2. Account Name: This column shows the corresponding account name to the user’s account.AWS KMS Key Rotation-ss3
  3. Identifier: This column shows the unique CMK ID or key ID to uniquely identify and differentiate different keys in AWS.AWS KMS Key Rotation-ss56
  4. Key Rotation Status: This column shows the key rotation status of the corresponding AWS account. If the key rotation is active, then enabled will be displayed. Otherwise disabled will be displayed.AWS KMS Key Rotation-ss33


Compliances covered:

Compliance Name Reference No. Link
PCI 3.6.4,3.6.5
HIPAA 164.312(d),164.312(e)(i)
ISO 27001 A.12.4.1, A.12.4.3


NIST 800-53 SC-12, SC-13,SC-17,SC-28
GDPR Article 30


Filters applicable:

Filter Name Description
Account Id Applying account Id filter will display data for the selected account Id.
Severity Applying severity filter will display data according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and ok severity types
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g.- If the user has tagged some resource by a tag named environment, then selecting an environment from the resource tags filter will display all the data accordingly.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g.- If the user has tagged some resource by a tag named environment and has given it a value say production (environment: production), then the user will be able to view data of all the resources which are tagged as “environment:production”. User can use the tag value filter only when a tag name has been provided.


Read more: