CMK Rotation Disabled
- Query id: 1c07bfaf-663c-4f6f-b22b-8e2d481e4df5
- Query name: CMK Rotation Disabled
- Platform: CloudFormation
- Severity: High
- Category: Observability
- URL: Github
Description¶
Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
Resources:
myKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- Key:
Ref: Key
Value:
Ref: Value
myKey2:
Type: AWS::KMS::Key
Properties:
Enabled: true
EnableKeyRotation: false
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- Key:
Ref: Key
Value:
Ref: Value
Parameters:
Key:
Type: String
Value:
Type: String
Positive test num. 2 - json file
{
"Resources": {
"myKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": true,
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*",
"Resource": "*",
"Sid": "Enable IAM User Permissions"
}
]
},
"Tags": [
{
"Key": {
"Ref": "Key"
},
"Value": {
"Ref": "Value"
}
}
]
}
},
"myKey2": {
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": true,
"EnableKeyRotation": false,
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Tags": [
{
"Key": {
"Ref": "Key"
},
"Value": {
"Ref": "Value"
}
}
]
}
}
},
"Parameters": {
"Key": {
"Type": "String"
},
"Value": {
"Type": "String"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
myKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
EnableKeyRotation: true
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- Key:
Ref: Key
Value:
Ref: Value
Parameters:
Key:
Type: String
Value:
Type: String
Negative test num. 2 - json file
{
"Resources": {
"myKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": true,
"EnableKeyRotation": true,
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Tags": [
{
"Key": {
"Ref": "Key"
},
"Value": {
"Ref": "Value"
}
}
]
}
}
},
"Parameters": {
"Key": {
"Type": "String"
},
"Value": {
"Type": "String"
}
}
}