KMS Key with Rotation
π¦ Overviewβ
This Terraform module provisions an AWS KMS key with automatic rotation enabled, helping maintain cryptographic hygiene and meet compliance standards.
Itβs ideal for organizations that want to enforce secure key lifecycle practices without managing key rollover manually.
β Key Featuresβ
- Creates a customer-managed KMS key
- Enables automatic annual key rotation
- Supports alias, description, and tagging
- Usable across services like S3, Lambda, and EBS
- Ensures secure encryption workflows with minimal admin overhead
πΌ Use Casesβ
- Compliance-driven environments (e.g., HIPAA, FedRAMP, PCI)
- Encrypting sensitive workloads that require key freshness
- Projects with rotating personnel or long-term cryptographic assets
- Teams standardizing encryption hygiene across services
π₯ Input Variablesβ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region to deploy the KMS key |
| alias | string | Alias for the key (e.g., alias/rotating-key) |
| description | string | Description of the key for auditing and discovery |
| environment | string | Deployment environment (e.g., dev, staging, prod) |
π€ Outputsβ
| Name | Description |
|---|---|
| key_id | The unique identifier of the KMS key |
| key_arn | The ARN of the provisioned KMS key |
| alias_name | The alias assigned to the KMS key |
π Deployment Readinessβ
- β Compatible with Terraform 1.0+
- β Tested with AWS provider 5.x
- π§ͺ Requires permissions for
kms:CreateKey,kms:EnableKeyRotation, etc.
π οΈ Example Usageβ
module "kms_key_rotation" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//security/kms-key-rotation?ref=v1.0.0"
region = "us-east-1"
alias = "alias/archiphire-rotating-key"
description = "KMS key with auto-rotation enabled"
environment = "prod"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
π§Ή Cleanup Optionsβ
Terraform Destroy (for test environments):
terraform destroy
or
tofu destroy
Manual Deletion (for production):
aws kms schedule-key-deletion --key-id "key_id" --pending-window-in-days 7
Use aws kms list-keys and describe-key to locate your key.
π‘οΈ Notesβ
This is a Level 1 security module with key rotation enabled by default. To enforce access boundaries or integrate cross-account usage, extend with KMS key policies or grants.
π Deployment Package Noticeβ
This module is part of the Level 1 AWS License Tier. To access the full deployment package and source code, subscribe to Archiphire.