feat(core): Adding Automatic rotation to KMS Key (#619)

* Adding Automatic rotation to KMS Key
* enable encryption on SSM encryption key
* remove stmt from docs

Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com>

Author: naveenkoppula

docs/installation/installation.md

@@ -423,7 +423,6 @@ Issues in Older Releases:
 - VPC Endpoints have no Name tags applied as CloudFormation does not currently support tagging VPC Endpoints.
 - If the Organization Management (root) account coincidentally already has an ADC with the same domain name, we do not create/deploy a new ADC. You must manually create a new ADC (it won't cause issues).
 - Firewall updates are to be performed using the firewall OS based update capabilities. To update the AMI using the Accelerator, you must first remove the firewalls and then redeploy them (as the EIP's will block a parallel deployment), or deploy a second parallel FW cluster and de-provision the first cluster when ready.
-- At this time we have not automated the rotation of KMS Customer Managed Keys. This is a roadmap item for a future release.
 
 ---
 

src/deployments/cdk/src/deployments/defaults/shared.ts

@@ -18,6 +18,7 @@ export function createDefaultS3Key(props: { accountStack: AccountStack }): KmsDe
   const encryptionKey = new kms.Key(accountStack, 'DefaultKey', {
     alias: `alias/${keyAlias}`,
     description: `Default bucket encryption key`,
+    enableKeyRotation: true,
   });
   encryptionKey.addToResourcePolicy(
     new iam.PolicyStatement({

src/deployments/cdk/src/deployments/defaults/step-1.ts

@@ -83,6 +83,7 @@ function createCentralBucketCopy(props: DefaultsStep1Props) {
   const encryptionKey = new kms.Key(masterAccountStack, 'CentralBucketKey', {
     alias: `alias/${keyAlias}`,
     description: 'Key used to encrypt/decrypt the copy of central S3 bucket',
+    enableKeyRotation: true,
   });
 
   const bucket = new s3.Bucket(masterAccountStack, 'CentralBucketCopy', {
@@ -380,6 +381,7 @@ function createDefaultEbsEncryptionKey(props: DefaultsStep1Props): AccountRegion
       const key = new kms.Key(accountStack, 'EbsDefaultEncryptionKey', {
         alias: `alias/${keyAlias}`,
         description: 'Key used to encrypt/decrypt EBS by default',
+        enableKeyRotation: true,
       });
 
       key.addToResourcePolicy(

src/deployments/cdk/src/deployments/ssm/session-manager.ts

@@ -71,6 +71,8 @@ export async function step1(props: SSMStep1Props) {
       const ssmKey = new Key(accountStack, 'SSM-Key', {
         alias: `alias/${keyAlias}`,
         trustAccountIdentities: true,
+        description: 'Key used to encrypt/decrypt SSM',
+        enableKeyRotation: true,
       });
       ssmKey.grantEncryptDecrypt(new AccountPrincipal(cdk.Aws.ACCOUNT_ID));
       ssmKey.grantEncryptDecrypt(new ServicePrincipal('logs.amazonaws.com'));

src/lib/cdk-accelerator/src/core/secrets-container.ts

@@ -40,6 +40,7 @@ export class SecretsContainer extends cdk.Construct {
     this.encryptionKey = new kms.Key(this, `EncryptionKey`, {
       alias: `alias/${this.keyAlias}`,
       description: 'Key used to encrypt/decrypt secrets',
+      enableKeyRotation: true,
     });
 
     this.encryptionKey.addToResourcePolicy(