CMK Is Unusable
- Query id: 133fee21-37ef-45df-a563-4d07edc169f4
- Query name: CMK Is Unusable
- Platform: Ansible
- Severity: Medium
- Category: Availability
- URL: Github
Description¶
AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
- name: Update IAM policy on an existing KMS key1
community.aws.aws_kms:
alias: my-kms-key
policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
state: present
enabled: false
Postitive test num. 2 - yaml file
- name: Update IAM policy on an existing KMS key2
community.aws.aws_kms:
alias: my-kms-key
policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
state: present
pending_window: 8