High Google KMS Crypto Key Rotation Period
- Query id: f9b7086b-deb8-4034-9330-d7fd38f1b8de
- Query name: High Google KMS Crypto Key Rotation Period
- Platform: Ansible
- Severity: Medium
- Category: Secret Management
- URL: Github
Description¶
KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: create a key ring
google.cloud.gcp_kms_key_ring:
name: key-key-ring
location: us-central1
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file }}"
state: present
register: keyring
- name: create a crypto key
google.cloud.gcp_kms_crypto_key:
name: test_object
key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
project: test_project
auth_kind: serviceaccount
rotation_period: "315356000s"
service_account_file: "/tmp/auth.pem"
state: present
- name: create a crypto key2
google.cloud.gcp_kms_crypto_key:
name: test_object
key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: create a key ring
google.cloud.gcp_kms_key_ring:
name: key-key-ring
location: us-central1
project: '{{ gcp_project }}'
auth_kind: '{{ gcp_cred_kind }}'
service_account_file: '{{ gcp_cred_file }}'
state: present
register: keyring
- name: create a crypto key
google.cloud.gcp_kms_crypto_key:
name: test_object
key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
project: test_project
auth_kind: serviceaccount
rotation_period: 7776000s
service_account_file: /tmp/auth.pem
state: present