High Access Key Rotation Period
- Query id: 800fa019-49dd-421b-9042-7331fdd83fa2
- Query name: High Access Key Rotation Period
- Platform: CloudFormation
- Severity: Medium
- Category: Secret Management
- CWE: Ongoing
- URL: Github
Description¶
ConfigRule should enforce access keys to be rotated within 90 days.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
ConfigRule:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: access-keys-rotated
InputParameters:
maxAccessKeyAge: 100
Source:
Owner: AWS
SourceIdentifier: ACCESS_KEYS_ROTATED
MaximumExecutionFrequency: TwentyFour_Hours
Positive test num. 2 - json file
{
"Resources": {
"ConfigRule": {
"Type": "AWS::Config::ConfigRule",
"Properties": {
"ConfigRuleName": "access-keys-rotated",
"InputParameters": {
"maxAccessKeyAge": 100
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ACCESS_KEYS_ROTATED"
},
"MaximumExecutionFrequency": "TwentyFour_Hours"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
ConfigRule:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: access-keys-rotated
InputParameters:
maxAccessKeyAge: 90
Source:
Owner: AWS
SourceIdentifier: ACCESS_KEYS_ROTATED
MaximumExecutionFrequency: TwentyFour_Hours
Negative test num. 2 - json file
{
"Resources": {
"ConfigRule": {
"Type": "AWS::Config::ConfigRule",
"Properties": {
"MaximumExecutionFrequency": "TwentyFour_Hours",
"ConfigRuleName": "access-keys-rotated",
"InputParameters": {
"maxAccessKeyAge": 90
},
"Source": {
"SourceIdentifier": "ACCESS_KEYS_ROTATED",
"Owner": "AWS"
}
}
}
}
}