turbot/ibm_compliance

Control: 8.1.1 Ensure IBM Key Protect has automated rotation for customer managed keys enabled

Description

In Key Protect, you can set a rotation policy for a key or manually rotate the key.

IBM Cloud Key Management Service (KMS): Key Protect (KP) allows customers to rotate the Data Encryption Key (DEK) which is key material stored within the KMS Hardware Security Module (HSM), which is tied to the key ID of the Customer Created customer master key (CMK). It is the DEK that is used to perform cryptographic operations such as encryption and decryption. When it's time to rotate the key based on the rotation interval that you specify, Key Protect automatically replaces the root key with new key material.

Automated key rotation currently retains all prior DEK keys so that decryption of encrypted data can take place transparently.

Remediation

From Console

  1. Log in to IBM Cloud
  2. Go to Menu > Resource List to view a list of your resources.
  3. From your IBM Cloud resource list, select your provisioned instance of Key Protect.
  4. On the application details page, use the Keys table to browse the keys in your service.
  5. Click the [?] icon to open a list of options for a specific key.
  6. From the options menu, click Manage policy to manage the rotation policy for the key.
  7. From the list of rotation options, select a frequency of rotation in months. If your key has an existing rotation policy, the interface displays the key's existing rotation period.
  8. Click Create policy to set the policy for the key.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_8_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_8_1_1 --share

SQL

This control uses a named query:

manual_control

Tags