High KMS Key Rotation Period

  • Query id: cb319d87-b90f-485e-a7e7-f2408380f309
  • Query name: High KMS Key Rotation Period
  • Platform: Terraform
  • Severity: Medium
  • Category: Secret Management
  • URL: Github

Description

KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Disabled"
}
Positive test num. 2 - tf file
resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "366d"
}
Positive test num. 3 - tf file
resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "31536010s"
}

Positive test num. 4 - tf file
resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "alicloud_kms_key" "key" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "7d"
}