standard
turbot/aws_compliance

Trigger: Detect & correct KMS keys with rotation disabled

Detect KMS keys with rotation disabled and then enable rotation.

Query

select
concat(id, ' [', account_id, '/', region, ']') as title,
id as key_id,
region,
sp_connection_name as conn
from
aws_kms_key
where
key_manager = 'CUSTOMER'
and key_rotation_enabled = false
and origin != 'EXTERNAL'
and key_state not in ('PendingDeletion', 'Disabled');

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/KMS