保護DataHogo
Security Encyclopedia/Cloud Provider Security
lowCWE-324

Cloud KMS Key Not Rotated

Your KMS encryption keys don't have automatic rotation enabled, meaning the same key material is used indefinitely — increasing the risk if the key is ever compromised.

How It Works

KMS keys encrypt your most sensitive data at rest. If a key is compromised (via insider threat, misconfigured IAM policy, or key material export), all data encrypted with that key is at risk. Key rotation limits exposure: even if an old key is compromised, only data encrypted in that rotation window is at risk. AWS KMS supports automatic annual rotation at no extra cost.

Vulnerable Code
// BAD: KMS key without automatic rotation (Terraform)
resource "aws_kms_key" "app_key" {
  description             = "App encryption key"
  enable_key_rotation     = false  // key never rotates — risky
  deletion_window_in_days = 30
}
Secure Code
// GOOD: enable automatic annual key rotation
resource "aws_kms_key" "app_key" {
  description             = "App encryption key"
  enable_key_rotation     = true   // AWS rotates the key material annually
  deletion_window_in_days = 30
}

Real-World Example

While there are no major public breaches attributed solely to KMS key non-rotation, PCI-DSS, HIPAA, and SOC 2 auditors regularly flag non-rotated encryption keys as a compliance finding. It's a low-effort configuration that satisfies multiple regulatory requirements at once.

How to Prevent It

  • Enable enable_key_rotation: true on all AWS KMS customer-managed keys — it's free and automatic
  • For GCP Cloud KMS, set rotationPeriod in your key ring configuration
  • Use AWS Config rule cmk-backing-key-rotation-enabled to detect non-rotating keys
  • Document key rotation policies as part of your security runbook
  • For imported key material, manually rotate according to your key management policy

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

S3 Bucket Public Access

critical

Your S3 bucket is publicly readable due to a public ACL, disabled Block Public Access settings, or a wildcard bucket policy — anyone on the internet can list and download your files.

CWE-284OWASP A05:2021

Cloud Metadata SSRF

critical

Your app fetches user-supplied URLs without blocking cloud metadata endpoints like 169.254.169.254, letting attackers steal your cloud credentials via SSRF.

CWE-918OWASP A10:2021

AWS Credentials Hardcoded

critical

AWS access keys (starting with AKIA) or secret access keys are hardcoded in your source code, giving anyone who reads the code full access to your AWS account.

CWE-798OWASP A02:2021

IAM Overly Permissive Policy

high

Your IAM policy uses Action: '*' or Resource: '*', granting far more permissions than needed and turning any credential leak into a full account takeover.

CWE-269OWASP A01:2021