Key Rotation Has Been Enabled
Rule Details
Parameter |
Description |
---|---|
Rule Name |
kms-rotation-enabled |
Identifier |
Key Rotation Has Been Enabled |
Description |
If key rotation is not enabled for a KMS key, this key is non-compliant. |
Tag |
kms |
Trigger Type |
Configuration change |
Filter Type |
kms.keys |
Rule Parameters |
None |
Application Scenarios
Security risks exist when a data encryption key (DEK) is extensively and repeatedly used. To ensure the security of DEKs, you are advised to periodically rotate DEKs and change the materials of the original DEKs. For details, see Enabling Key Rotation. The purposes of key rotation are:
- Reducing the amount of data encrypted by each key. The security of a key is inversely proportional to the amount of data encrypted by the key.
- Enhancing the capability of responding to security events: Use the key rotation function as a routine O&M method in the early stage of system security design.
- Enhancing the data isolation capability: The ciphertext data generated before and after key rotation will be isolated.
Solution
Rule Logic
- If key rotation is not enabled for a KMS key, this key is non-compliant.
- If key rotation is enabled for a KMS key, this key is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot