For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-kms-enable-key-rotation-disabled.md.
A documentation index is available at /llms.txt.
KMS keys should have automatic key rotation enabled to limit the lifetime of cryptographic material, reduce the impact of a compromised key, and meet common compliance requirements. In AWS CloudFormation, AWS::KMS::Key resources must define the EnableKeyRotation property and set it to true. Resources missing this property or with EnableKeyRotation set to false will be flagged. Enabling rotation activates AWS-managed annual rotation of the key material.
Secure configuration example:
MyKMSKey:Type:AWS::KMS::KeyProperties:Description:KMS key with rotation enabledEnableKeyRotation:trueKeyPolicy:Version:'2012-10-17'Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:!Sub 'arn:aws:iam::${AWS::AccountId}:root'Action:'kms:*'Resource:'*'
Compliant Code Examples
AWSTemplateFormatVersion:2010-09-09Description:A sample templateResources:myKey:Type:AWS::KMS::KeyProperties:Description:An example symmetric CMKEnableKeyRotation:TrueKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:arn:aws:iam::111122223333:rootAction:kms:*Resource:'*'- Sid:Allow administration of the keyEffect:AllowPrincipal:AWS:arn:aws:iam::123456789012:user/AliceAction:- kms:Create*- kms:Describe*- kms:Enable*- kms:List*- kms:Put*- kms:Update*- kms:Revoke*- kms:Disable*- kms:Get*- kms:Delete*- kms:ScheduleKeyDeletion- kms:CancelKeyDeletionResource:'*'- Sid:Allow use of the keyEffect:AllowPrincipal:AWS:arn:aws:iam::123456789012:user/BobAction:- kms:DescribeKey- kms:Encrypt- kms:Decrypt- kms:ReEncrypt*- kms:GenerateDataKey- kms:GenerateDataKeyWithoutPlaintextResource:'*'
{"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"A sample template","Resources":{"myKey":{"Properties":{"EnableKeyRotation":true,"KeyPolicy":{"Id":"key-default-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111122223333:root"},"Action":"kms:*","Resource":"*"},{"Action":["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource":"*","Sid":"Allow administration of the key","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/Alice"}},{"Sid":"Allow use of the key","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/Bob"},"Action":["kms:DescribeKey","kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey","kms:GenerateDataKeyWithoutPlaintext"],"Resource":"*"}],"Version":"2012-10-17"},"Description":"An example symmetric CMK"},"Type":"AWS::KMS::Key"}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:2010-09-09Description:A sample templateResources:myKey:Type:AWS::KMS::KeyProperties:Description:An example symmetric CMKEnableKeyRotation:falseKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:arn:aws:iam::111122223333:rootAction:kms:*Resource:'*'- Sid:Allow administration of the keyEffect:AllowPrincipal:AWS:arn:aws:iam::123456789012:user/AliceAction:- kms:Create*- kms:Describe*- kms:Enable*- kms:List*- kms:Put*- kms:Update*- kms:Revoke*- kms:Disable*- kms:Get*- kms:Delete*- kms:ScheduleKeyDeletion- kms:CancelKeyDeletionResource:'*'- Sid:Allow use of the keyEffect:AllowPrincipal:AWS:arn:aws:iam::123456789012:user/BobAction:- kms:DescribeKey- kms:Encrypt- kms:Decrypt- kms:ReEncrypt*- kms:GenerateDataKey- kms:GenerateDataKeyWithoutPlaintextResource:'*'myKey2:Type:AWS::KMS::KeyProperties:Description:An example symmetric CMKKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:arn:aws:iam::111122223333:rootAction:kms:*Resource:'*'- Sid:Allow administration of the keyEffect:AllowPrincipal:AWS:arn:aws:iam::123456789012:user/AliceAction:- kms:Create*- kms:Describe*- kms:Enable*- kms:List*- kms:Put*- kms:Update*- kms:Revoke*- kms:Disable*- kms:Get*- kms:Delete*- kms:ScheduleKeyDeletion- kms:CancelKeyDeletionResource:'*'- Sid:Allow use of the keyEffect:AllowPrincipal:AWS:arn:aws:iam::123456789012:user/BobAction:- kms:DescribeKey- kms:Encrypt- kms:Decrypt- kms:ReEncrypt*- kms:GenerateDataKey- kms:GenerateDataKeyWithoutPlaintextResource:'*'
{"Resources":{"myKey":{"Type":"AWS::KMS::Key","Properties":{"KeyPolicy":{"Version":"2012-10-17","Id":"key-default-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111122223333:root"},"Action":"kms:*","Resource":"*"},{"Principal":{"AWS":"arn:aws:iam::123456789012:user/Alice"},"Action":["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource":"*","Sid":"Allow administration of the key","Effect":"Allow"},{"Sid":"Allow use of the key","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/Bob"},"Action":["kms:DescribeKey","kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey","kms:GenerateDataKeyWithoutPlaintext"],"Resource":"*"}]},"Description":"An example symmetric CMK","EnableKeyRotation":false}},"myKey2":{"Type":"AWS::KMS::Key","Properties":{"Description":"An example symmetric CMK","KeyPolicy":{"Version":"2012-10-17","Id":"key-default-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111122223333:root"},"Action":"kms:*","Resource":"*"},{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/Alice"},"Action":["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource":"*","Sid":"Allow administration of the key"},{"Action":["kms:DescribeKey","kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey","kms:GenerateDataKeyWithoutPlaintext"],"Resource":"*","Sid":"Allow use of the key","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/Bob"}}]}}}},"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"A sample template"}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
