Rotation enabled for Stax-managed Customer Master Keys

Published 25 Aug 2020

As per item 2.8 of the CIS AWS Foundations Benchmark, all Customer Master Keys (CMKs) created by the Stax platform in customer AWS accounts now have automatic yearly rotation enabled.

This change does not impact CMKs created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.

This change applies to the following CMKs in your AWS accounts:

  • spotlight-etl-sns
  • stax-alarm-sns-key

More info

Below is an excerpt from the CIS AWS Foundations Benchmark document that provides some more context around this recommendation:

2.8 Ensure rotation for customer created CMKs is enabled

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK keyrotation be enabled.

Back to changelog