Ensure AWS CMK rotation is enabled

Error: AWS CMK rotation is not enabled

Bridgecrew Policy ID: BC_AWS_LOGGING_8
Checkov Check ID: CKV_AWS_7
Bridgecrew Severity: MEDIUM
Prisma Cloud Severity: MEDIUM

AWS CMK rotation is not enabled


AWS Key Management Service (KMS) allows customers to rotate the backing key. This is where key material is stored within the KMS, and tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys, allowing decryption of encrypted data to take place transparently.

We recommend you enable CMK key rotation to help reduce the potential impact of a compromised key. Data encrypted with a new key cannot be accessed with a previous key, that may have been exposed.

Fix - Runtime

AWS Console


  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
  2. Open the Amazon KMS console.
  3. In the left navigation pane, select customer managed keys.
  4. Select the customer master key (CMK) in scope.
  5. Navigate to the Key Rotation tab.
  6. Select Rotate this key every year.
  7. Click Save.

CLI Command

Change the policy to enable key rotation using CLI command:

aws kms enable-key-rotation --key-id <kms_key_id>

Fix - Buildtime


  • Resource: aws_kms_key
  • Argument: enable_key_rotation - (Optional) Specifies whether key rotation is enabled. Defaults to false.
resource "aws_kms_key" "kms_key_1" {
  is_enabled              = true
+ enable_key_rotation    = true


  • Resource: AWS::KMS::Key
  • Attribute: EnableKeyRotation - (Optional) Specifies whether key rotation is enabled. Defaults to false.
Type: AWS::KMS::Key
+ EnableKeyRotation: true0