CMK Rotation Disabled
- Query id: af96d737-0818-4162-8c41-40d969bd65d1
- Query name: CMK Rotation Disabled
- Platform: Ansible
- Severity: High
- Category: Observability
- URL: Github
Description¶
Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: Update IAM policy on an existing KMS key
community.aws.aws_kms:
alias: my-kms-key
policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
state: present
enabled: true
Positive test num. 2 - yaml file
- name: Update IAM policy on an existing KMS key2
community.aws.aws_kms:
alias: my-kms-key
policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
state: present
enabled: true
enable_key_rotation: false