CMK Is Unusable
- Query id: 133fee21-37ef-45df-a563-4d07edc169f4
- Query name: CMK Is Unusable
- Platform: Ansible
- Severity: Medium
- Category: Availability
- CWE: 693
- URL: Github
Description¶
AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: Update IAM policy on an existing KMS key1
community.aws.aws_kms:
alias: my-kms-key
policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
state: present
enabled: false
Positive test num. 2 - yaml file
- name: Update IAM policy on an existing KMS key2
community.aws.aws_kms:
alias: my-kms-key
policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
state: present
pending_window: 8