Find customer-managed keys with rotation disabled via get-key-rotation-status. Enable rotation with enable-key-rotation; the default schedule is once a year, configurable from 90 to 2,560 days. Verify the status flipped and apply the setting as a default in your key-provisioning IaC.

Compliance Medium severity

AWS Security Hub · KMS

KMS.4: KMS key rotation should be enabled

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub KMS.4 check?

KMS.4 fails when a customer-managed KMS key does not have automatic key rotation enabled. Rotation is off by default for customer-managed keys, which creates a standing finding the moment you create one.

Why does KMS.4 matter?

Rotating the backing key on a schedule limits how much data is protected by any single key version, so a future cryptographic weakness or key compromise has a bounded blast radius. AWS retains every previous backing key for free and decrypts older data transparently, so enabling rotation is essentially cost-free and invisible to workloads — there's no re-encryption to perform.

How do I fix KMS.4?

Find customer-managed keys with rotation disabled via get-key-rotation-status.
Enable rotation with enable-key-rotation; the default schedule is once a year, configurable from 90 to 2,560 days.
Verify the status flipped and apply the setting as a default in your key-provisioning IaC.

Remediation script · bash

# Stop the irreversible clock first: cancel any scheduled deletion, then re-enable.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  state=$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.KeyState' --output text)
  if [ "$state" = "PendingDeletion" ]; then
    aws kms cancel-key-deletion --key-id "$k"
    aws kms enable-key --key-id "$k"   # cancel leaves it Disabled
    echo "$k: deletion cancelled and re-enabled"
  fi
done

# Turn rotation on for eligible customer-managed symmetric keys.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  read -r mgr spec <<<"$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.[KeyManager,KeySpec]' --output text)"
  if [ "$mgr" = "CUSTOMER" ] && [ "$spec" = "SYMMETRIC_DEFAULT" ]; then
    aws kms enable-key-rotation --key-id "$k"
  fi
done

Full walkthrough (console steps, edge cases and verification) in the lesson Manage KMS encryption keys.

Is KMS.4 a false positive?

AWS-managed keys rotate on their own and are out of scope, and asymmetric keys, HMAC keys, and keys with imported material can't use automatic rotation at all — the control applies only to eligible customer-managed keys.

Full lesson Manage KMS encryption keys Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for KMS controls ↗ Check your own account for KMS.4 →

Part of the learning path Lock down access

KMS.1 IAM policies should not allow decrypt on all KMS keys
KMS.2 Decrypt is granted on all KMS keys
KMS.3 A KMS key is scheduled for deletion and will take data with it
KMS.5 A KMS key policy allows public access