CMK Rotation Disabled

  • Query id: af96d737-0818-4162-8c41-40d969bd65d1
  • Query name: CMK Rotation Disabled
  • Platform: Ansible
  • Severity: High
  • Category: Observability
  • URL: Github

Description

Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Update IAM policy on an existing KMS key
  community.aws.aws_kms:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: true
Positive test num. 2 - yaml file
- name: Update IAM policy on an existing KMS key2
  community.aws.aws_kms:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: true
    enable_key_rotation: false

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Update IAM policy on an existing KMS key3
  community.aws.aws_kms:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: true
    enable_key_rotation: true