Skip to content

rotate-kms-keys

Explanation

Keys should be rotated on a regular basis to limit exposure if a given key should become compromised.

Possible Impact

Exposure is greater if the same keys are used over a long period

Suggested Resolution

Set key rotation period to 90 days

Insecure Example

The following example will fail the google-kms-rotate-kms-keys check.

resource "google_kms_key_ring" "keyring" {
  name     = "keyring-example"
  location = "global"
}

resource "google_kms_crypto_key" "example-key" {
  name            = "crypto-key-example"
  key_ring        = google_kms_key_ring.keyring.id
  rotation_period = "15552000s"

  lifecycle {
    prevent_destroy = true
  }
}

Secure Example

The following example will pass the google-kms-rotate-kms-keys check.

resource "google_kms_key_ring" "keyring" {
  name     = "keyring-example"
  location = "global"
}

resource "google_kms_crypto_key" "example-key" {
  name            = "crypto-key-example"
  key_ring        = google_kms_key_ring.keyring.id
  rotation_period = "7776000s"

  lifecycle {
    prevent_destroy = true
  }
}

resource "google_kms_crypto_key" "example-key" {
  name            = "crypto-key-example"
  key_ring        = google_kms_key_ring.keyring.id
  algorithm       = "EXTERNAL_SYMMETRIC_ENCRYPTION"
  protectionLevel = "EXTERNAL"

  lifecycle {
    prevent_destroy = true
  }
}