---
title: KMS master encryption keys should be rotated at least annually
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > KMS master encryption keys should be
  rotated at least annually
---

# KMS master encryption keys should be rotated at least annually
 
## Description{% #description %}

Customer master encryption keys in Oracle Cloud Infrastructure Vault should be rotated at least annually to limit the amount of data encrypted by one key version and reduce cryptographic risk.

## Remediation{% #remediation %}

Configure automatic key rotation or manually rotate customer master keys annually. For guidance on key rotation, refer to the [Key Rotation](https://docs.oracle.com/iaas/Content/KeyManagement/Tasks/managingkeys_topic-To_rotate_a_master_encryption_key.htm) section in the Oracle Cloud Infrastructure Documentation.