CloudAgent gives you AI agents that manage your cloud infrastructure. They handle tasks like security compliance, cost optimization, deployments, and monitoring. You remain in control as agents show you their plans, wait for your approval, then execute. Think of it as having a cloud operations team that works 24/7 without needing to hire an army of cloud experts.

How can AI agents be trusted with production cloud infrastructure?

You stay in control through approval workflows where every infrastructure change can require human approval before execution, custom security controls with granular access rules, complete audit trails of every action, self-hosted deployment options, and progressive trust models starting with read-only access.

How does it actually reduce costs?

CloudAgent agents delete unused resources, schedule non-production shutdowns, right-size infrastructure based on usage patterns, and recommend architectural optimizations. Early customers report 15-40% cost reduction within 90 days. Unlike dashboards, CloudAgent actually fixes the problems.

1. Assessment Phase

Enumerate KMS customer managed keys in scope
Gather rotation-relevant metadata for each KMS customer managed key
Determine which KMS customer managed keys support automatic rotation
User: Approve rotation for eligible KMS customer managed keys

2. Configuration Phase

Enable automatic rotation on approved KMS customer managed keys

3. Validation Phase

Confirm automatic rotation is active on configured KMS keys

1 Credits

Enable Automatic Rotation for Eligible KMS Customer Managed Keys

Overview

Enable automatic rotation on your eligible AWS KMS customer managed keys to strengthen cryptographic hygiene and reduce key management risk. The plan walks through discovering all in-scope keys, identifying which ones support automatic rotation, guiding you through which keys to enable, applying the configuration, and finally validating that rotation is active and auditable.

The workflow is organized into three phases:

Assessment – Inventory KMS customer managed keys and determine which are eligible for automatic rotation.
Configuration – Enable automatic rotation on the user-approved set of eligible keys.
Validation – Confirm that rotation is enabled as expected and produce an auditable summary.

Execution Details

Assessment Phase

This phase builds a complete, rotation-aware view of your KMS customer managed keys across the target regions.

Enumerate KMS customer managed keys in scope
- Collect all KMS keys in the specified regions and filter down to customer managed keys, excluding AWS managed and AWS owned keys.
- For each key, capture core attributes such as KeyId, KeyArn, region, KeyManager, KeyState, and KeySpec.
- Store the inventory in a structured format (for example, JSON or a table) and verify that the count aligns with what KMS reports for those regions.
Gather rotation-relevant metadata for each KMS customer managed key
- For every inventoried key, enrich the data with rotation-related details: description, creation date, enabled/disabled state, key usage (ENCRYPT_DECRYPT, SIGN_VERIFY, etc.), key type/spec (such as SYMMETRIC_DEFAULT, RSA, ECC), and key origin (AWS_KMS, EXTERNAL, AWS_CLOUDHSM).
- Collect helpful identification data such as primary aliases and a summary of key policies if needed.
- Join all metadata back to each KeyId/KeyArn so every customer managed key has a complete rotation profile suitable for review.
Determine which KMS customer managed keys support automatic rotation
- Apply eligibility rules to the metadata, including symmetric keys that support automatic rotation and excluding non-supported types such as certain asymmetric, HMAC, external, or CloudHSM keys.
- Remove keys in states where enabling rotation is inappropriate (for example, pending deletion).
- Produce two clear views:
  - Rotation‑eligible keys that do not currently have automatic rotation enabled (primary target list).
  - Rotation‑eligible keys that already have rotation enabled (for visibility only).
- Ensure each eligible key entry includes region, description, usage, spec/type, enabled state, and current rotation status, and store this in a structured dataset for the next step.
User: Approve rotation for eligible KMS customer managed keys
- Present you with the rotation-eligible keys that currently lack automatic rotation, including key identifiers, region, description, usage, type, enabled status, and rotation status.
- Clearly distinguish keys that already have automatic rotation enabled so you can see the full posture without changing them.
- Guide you through reviewing this list and selecting exactly which keys should have automatic rotation turned on, ensuring the choices align with your security and compliance requirements.
- Capture and persist the final, user-approved list of keys (with KeyId and region) that will proceed to the configuration phase.

Configuration Phase

This phase applies the chosen rotation settings to the approved keys.

Enable automatic rotation on approved KMS customer managed keys
- Load the user-approved list of keys selected for rotation.
- For each key, perform a fresh eligibility check (confirming it remains an appropriate type, not pending deletion, and still has rotation disabled to avoid redundant updates).
- Enable automatic key rotation using KMS defaults for eligible customer managed keys (for example, annual rotation for symmetric keys).
- Record the outcome per key, capturing both successes and any failures along with reasons such as unsupported key type or disabled key state.
- Produce and store structured reports of:
  - Keys where automatic rotation was successfully enabled.
  - Keys where rotation could not be enabled and the associated error context.

Validation Phase

This phase verifies that rotation has been successfully enabled and produces evidence suitable for audit or later review.

Confirm automatic rotation is active on configured KMS keys
- Re-check the current rotation configuration for all keys that were reported as successfully updated.
- Validate that automatic rotation is now enabled for each of these keys and identify any discrepancies where it is not.
- Compile a concise validation summary that includes:
  - Total number of keys requested for rotation.
  - Keys with rotation successfully confirmed as enabled.
  - Keys where rotation is not enabled as expected, along with details.
- Store this validation summary in an auditable format and align it with the configuration results so you maintain a clear end-to-end record of the rotation rollout.