Detections
Analytics

Ensure a key rotation mechanism within a 365 day period is implemented for Google KMS Crypto Key

LOW

Description

An annual encryption key rotation is commonly used to ensure that keys are secure and data remains protected. Many common compliance frameworks and industry regulations require an annual key rotation.

Remediation

In GCP Console -

  1. Log into the GCP Console and go to Key Management.
  2. Choose the key ring with the keys that you wish to edit from the list of key rings.
  3. Select the ellipsis under Actions next to the key you wish to edit and choose Edit rotation period.
  4. Edit the rotation period and start date accordingly.
  5. Select Save.
    For more information on setting up key rotation, see the GCP documentation (below).

In Terraform -

  1. In the google_kms_crypto_key resource, set the rotation_period field to a numeric value in seconds. (ex: 100000s)

References:
https://cloud.google.com/kms/docs/rotating-keys
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key

Policy Details

Rule Reference ID: AC_GCP_0012
CSP: GCP
Remediation Available: Yes
Domain: Security Best Practices
Resource: google_kms_crypto_key
Resource Category: Management
Resource Type: Cloud Key Management

Frameworks