High Google KMS Crypto Key Rotation Period

  • Query id: f9b7086b-deb8-4034-9330-d7fd38f1b8de
  • Query name: High Google KMS Crypto Key Rotation Period
  • Platform: Ansible
  • Severity: Medium
  • Category: Secret Management
  • CWE: Ongoing
  • URL: Github

Description

KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: create a key ring
  google.cloud.gcp_kms_key_ring:
    name: key-key-ring
    location: us-central1
    project: "{{ gcp_project }}"
    auth_kind: "{{ gcp_cred_kind }}"
    service_account_file: "{{ gcp_cred_file }}"
    state: present
  register: keyring

- name: create a crypto key
  google.cloud.gcp_kms_crypto_key:
    name: test_object
    key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
    project: test_project
    auth_kind: serviceaccount
    rotation_period: "315356000s"
    service_account_file: "/tmp/auth.pem"
    state: present

- name: create a crypto key2
  google.cloud.gcp_kms_crypto_key:
    name: test_object
    key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: create a key ring
  google.cloud.gcp_kms_key_ring:
    name: key-key-ring
    location: us-central1
    project: '{{ gcp_project }}'
    auth_kind: '{{ gcp_cred_kind }}'
    service_account_file: '{{ gcp_cred_file }}'
    state: present
  register: keyring

- name: create a crypto key
  google.cloud.gcp_kms_crypto_key:
    name: test_object
    key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
    project: test_project
    auth_kind: serviceaccount
    rotation_period: 7776000s
    service_account_file: /tmp/auth.pem
    state: present