Control: AWS > PCI v3.2.1 > KMS > 1 Customer master key (CMK) rotation should be enabled

This control checks that key rotation is enabled for each customer master key (CMK). It does not check CMKs that have imported key material.

You should ensure keys that have imported material and those that are not stored in AWS KMS are rotated. AWS managed customer master keys are rotated once every 3 years.

Remediation

To enable CMK rotation

Open the AWS KMS console.
To change the AWS Region, use the Region selector in the upper-right corner of the page.
Choose Customer managed keys.
In the Alias column, choose the alias of the key to update.
Choose Key rotation.
Select Automatically rotate this CMK every year and then choose Save.

PCI requirement(s): 3.6.4

Resource Types

This control targets the following resource types:

AWS > KMS > Key

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/kmsCmkRotationEnabled

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/kmsCmkRotationEnabled") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/kmsCmkRotationEnabled'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/kmsCmkRotationEnabled"