CMK Rotation Disabled

  • Query id: 22fbfeac-7b5a-421a-8a27-7a2178bb910b
  • Query name: CMK Rotation Disabled
  • Platform: Terraform
  • Severity: High
  • Category: Observability
  • URL: Github

Description

Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_kms_key" "positive1" {
  description = "KMS key 1"
}
Positive test num. 2 - tf file
resource "aws_kms_key" "positive2" {
  description         = "KMS key 2"
  is_enabled          = true
  enable_key_rotation = false
}
Positive test num. 3 - tf file
resource "aws_kms_key" "positive3" {
  description              = "KMS key 3"
  is_enabled               = true
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  enable_key_rotation      = false
}

Positive test num. 4 - tf file
resource "aws_kms_key" "positive4" {
  description              = "KMS key 4"
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  enable_key_rotation      = false
}
Positive test num. 5 - tf file
resource "aws_kms_key" "positive5" {
  description              = "KMS key 5"
  customer_master_key_spec = "RSA_2048"
  enable_key_rotation      = true
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_kms_key" "negative1" {
  description         = "KMS key 1"
  is_enabled          = true
  enable_key_rotation = true
}
Negative test num. 2 - tf file
resource "aws_kms_key" "negative2" {
  description              = "KMS key 2"
  customer_master_key_spec = "RSA_4096"
}
Negative test num. 3 - tf file
resource "aws_kms_key" "negative3" {
  description              = "KMS key 3"
  customer_master_key_spec = "RSA_2048"
}

Negative test num. 4 - tf file
resource "aws_kms_key" "negative4" {
  description              = "KMS key 4"
  customer_master_key_spec = "RSA_3072"
}
Negative test num. 5 - tf file
resource "aws_kms_key" "negative5" {
  description              = "KMS key 5"
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  enable_key_rotation      = true
}