Cyscale
Back to controls

Ensure rotation for customer-created symmetric CMKs is enabled

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.

Category

Controls

Medium

Applies to

AWS

Coverage

1 queries

Asset types

1 covered

Overview

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled.

Rationale

Rotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.

Remediation guidance

Via the Management Console

  1. Open the security settings using the "Open in AWS" menu option
  2. Under Key rotation, check the Automatically rotate this KMS key every year checkbox
  3. Select the customer-managed KMS key
  4. Under the Key Policy section, move down to Key Rotation

Via CLI

Run the following command to enable key rotation for the affected key:

aws kms enable-key-rotation \
  --key-id {{asset.idFromProvider}}

Optional: verify the status after the update completes.

aws kms get-key-rotation-status \
  --key-id {{asset.idFromProvider}}

References

  1. https://docs.aws.amazon.com/cli/latest/reference/kms/enable-key-rotation.html
  2. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
  3. CCE-78920-6

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

AWS

Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Rotation for customer created CMKs is enabled

Connectors

AWS

Covered asset types

KMSKey

Expected check: eq []

kmsKeys(where:{automaticRotationEnabled:false, managementType:"CustomerManaged"}){...AssetFragment}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon