The likelihood of security incidents increases when cryptographic keys are used for a long time. Thus, to strengthen the data protection it’s recommended to rotate the symmetric keys created with the Google Cloud Key Management Service (KMS) automatically and periodically. Note that it’s not possible in GCP KMS to rotate asymmetric keys automatically.

Ask Yourself Whether

• The cryptographic key is a symmetric key.
• The application requires compliance with some security standards like PCI-DSS.

Recommended Secure Coding Practices

It’s recommended to rotate keys automatically and regularly. The shorter the key period, the less data can be decrypted by an attacker if a key is compromised. So the key rotation period usually depends on the amount of data encrypted with a key or other requirements such as compliance with security standards. In general, a period of time of 90 days can be used.

Sensitive Code Example

resource "google_kms_crypto_key" "noncompliant-key" { # Sensitive: a rotation period is not defined
  name            = "crypto-key-compliant"
  key_ring        = google_kms_key_ring.keyring.id"
}

Compliant Solution

resource "google_kms_crypto_key" "compliant-key" {
  name            = "crypto-key-compliant"
  key_ring        = google_kms_key_ring.keyring.id
  rotation_period = "7776000s" # 90 days
}

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• GCP Documentation - KMS Key rotation