Updated on 2025-08-25 GMT+08:00

Key Rotation Has Been Enabled

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

kms-rotation-enabled

Identifier

Key Rotation Has Been Enabled

Description

If key rotation is not enabled for a KMS key, this key is non-compliant.

Tag

kms

Trigger Type

Configuration change

Filter Type

kms.keys

Rule Parameters

None

Application Scenarios

Security risks exist when a data encryption key (DEK) is extensively and repeatedly used. To ensure the security of DEKs, you are advised to periodically rotate DEKs and change the materials of the original DEKs. For details, see Enabling Key Rotation. The purposes of key rotation are:

  • Reducing the amount of data encrypted by each key. The security of a key is inversely proportional to the amount of data encrypted by the key.
  • Enhancing the capability of responding to security events: Use the key rotation function as a routine O&M method in the early stage of system security design.
  • Enhancing the data isolation capability: The ciphertext data generated before and after key rotation will be isolated.

Rule Logic

  • If key rotation is not enabled for a KMS key, this key is non-compliant.
  • If key rotation is enabled for a KMS key, this key is compliant.