Insecure service configuration - KMS - Cloudformation

Need

Enforce automatic key rotation for KMS service

Context

1. Usage of CloudFormation for Infrastructure as Code (IaC)
2. Usage of AWS KMS Key for encryption and decryption of data

Description

Insecure Code Example

Resources:
  MyKmsKey:
    Type: AWS::KMS::Key
    Properties:
      Description: "This is my KMS key"
      EnableKeyRotation: false
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action: "kms:*"
            Resource: "*"

The above CloudFormation code defines an AWS KMS key, but it does not enable automatic key rotation. Without key rotation, the same encryption key is used indefinitely. This increases the risk of compromise, as long-term static keys are more likely to be exposed or brute-forced. Enabling key rotation is a security best practice to limit exposure in case a key is compromised.

Steps

1. Add or update the `EnableKeyRotation` property in the CloudFormation resource.
2. Set the value of `EnableKeyRotation` to `true` to activate yearly key rotation.
3. Deploy or update the CloudFormation stack.

Secure Code Example

Resources:
  MyKmsKey:
    Type: AWS::KMS::Key
    Properties:
      Description: "This is my KMS key"
      EnableKeyRotation: true
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action: "kms:*"
            Resource: "*"

This CloudFormation code enables automatic key rotation for the AWS KMS key using the `EnableKeyRotation` property. With rotation enabled, AWS rotates the key material every year. This reduces the impact of a key compromise and ensures that encryption keys are refreshed regularly to improve the security posture of your infrastructure.

References

Last updated

2025/04/04