CMK Rotation Disabled
- Query id: 22fbfeac-7b5a-421a-8a27-7a2178bb910b
- Query name: CMK Rotation Disabled
- Platform: Terraform
- Severity: High
- Category: Observability
- URL: Github
Description¶
Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 2 - tf file
resource "aws_kms_key" "positive2" {
description = "KMS key 2"
is_enabled = true
enable_key_rotation = false
}
Positive test num. 3 - tf file
resource "aws_kms_key" "positive3" {
description = "KMS key 3"
is_enabled = true
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = false
}
Positive test num. 4 - tf file
Positive test num. 5 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_kms_key" "negative1" {
description = "KMS key 1"
is_enabled = true
enable_key_rotation = true
}
Negative test num. 2 - tf file
resource "aws_kms_key" "negative2" {
description = "KMS key 2"
customer_master_key_spec = "RSA_4096"
}
Negative test num. 3 - tf file
resource "aws_kms_key" "negative3" {
description = "KMS key 3"
customer_master_key_spec = "RSA_2048"
}