GCP KMS key without periodic rotation
Description
AlphaSOC detected a Google Cloud KMS cryptographic key that was created or updated without a rotation period configured. Periodic key rotation helps reduce the blast radius of a compromised key by limiting the amount of data encrypted with any single key version. Attackers may disable key rotation to maintain long-term access to encrypted data.
Impact
Keys without rotation remain valid indefinitely, increasing the window of opportunity for attackers who compromise the key material. Long-lived keys encrypt more data, meaning a key compromise affects a larger dataset. This configuration also violates security best practices and compliance requirements that mandate regular key rotation.
Severity
| Severity | Condition |
|---|---|
Low | KMS key created or updated without rotation |
Investigation and Remediation
Review the key configuration and determine why rotation was not enabled. Verify the identity of the user who created or modified the key and confirm the action was authorized. Enable automatic key rotation with an appropriate rotation period based on security requirements and compliance policies. Document any exceptions and implement compensating controls if rotation cannot be enabled.
Known False Positives
- Keys used for asymmetric operations where rotation is not applicable
- Short-lived keys created for specific one-time operations
- Legacy applications with key rotation compatibility issues