CMK Is Unusable

  • Query id: 133fee21-37ef-45df-a563-4d07edc169f4
  • Query name: CMK Is Unusable
  • Platform: Ansible
  • Severity: Medium
  • Category: Availability
  • URL: Github

Description

AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Update IAM policy on an existing KMS key1
  community.aws.aws_kms:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: false
Positive test num. 2 - yaml file
- name: Update IAM policy on an existing KMS key2
  community.aws.aws_kms:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    pending_window: 8

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Update IAM policy on an existing KMS key
  community.aws.aws_kms:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: true