CMK Is Unusable
- Query id: 2844c749-bd78-4cd1-90e8-b179df827602
- Query name: CMK Is Unusable
- Platform: CloudFormation
- Severity: Medium
- Category: Availability
- CWE: Ongoing
- URL: Github
Description¶
AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
Resources:
myKey:
Type: AWS::KMS::Key
Properties:
Enabled: false
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- Key:
Ref: Key
Value:
Ref: Value
myKey2:
Type: AWS::KMS::Key
Properties:
Enabled: true
PendingWindowInDays: 7
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- Key:
Ref: Key
Value:
Ref: Value
Parameters:
Key:
Type: String
Value:
Type: String
Positive test num. 2 - json file
{
"Resources": {
"myKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": false,
"KeyPolicy": {
"Id": "key-default-1",
"Statement": [
{
"Resource": "*",
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*"
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": {
"Ref": "Key"
},
"Value": {
"Ref": "Value"
}
}
]
}
},
"myKey2": {
"Type": "AWS::KMS::Key",
"Properties": {
"Tags": [
{
"Key": {
"Ref": "Key"
},
"Value": {
"Ref": "Value"
}
}
],
"Enabled": true,
"PendingWindowInDays": 7,
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"Parameters": {
"Key": {
"Type": "String"
},
"Value": {
"Type": "String"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
myKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- Key:
Ref: Key
Value:
Ref: Value
Parameters:
Key:
Type: String
Value:
Type: String
Negative test num. 2 - json file
{
"Resources": {
"myKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": true,
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Tags": [
{
"Key": {
"Ref": "Key"
},
"Value": {
"Ref": "Value"
}
}
]
}
}
},
"Parameters": {
"Key": {
"Type": "String"
},
"Value": {
"Type": "String"
}
}
}