KMS key rotation not enabled
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
An aws_kms_key sets enable_key_rotation to false, or omits it entirely (rotation defaults off), so the key material is never automatically rotated and a compromised key stays valid indefinitely.
Why it matters
When enable_key_rotation is false or absent, the KMS key material is never rotated automatically. If the key is ever compromised, or simply ages, there is no scheduled roll to limit the window of exposure, and long-lived key material is harder to reason about for compliance. Annual rotation is a low-effort default.
How to fix it
Set enable_key_rotation = true on customer-managed aws_kms_key resources, which enables AWS-managed annual rotation with no application changes. Note that rotation applies to symmetric keys; asymmetric and imported keys are handled differently. Apply it consistently across all your managed keys.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo