High Access Key Rotation Period

• Query id: 800fa019-49dd-421b-9042-7331fdd83fa2
• Query name: High Access Key Rotation Period
• Platform: CloudFormation
• Severity: Medium
• Category: Secret Management
• CWE: 522
• URL: Github

Description

ConfigRule should enforce access keys to be rotated within 90 days.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

Resources:
  ConfigRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: access-keys-rotated
      InputParameters:
        maxAccessKeyAge: 100
      Source:
        Owner: AWS
        SourceIdentifier: ACCESS_KEYS_ROTATED
      MaximumExecutionFrequency: TwentyFour_Hours

Positive test num. 2 - json file

{
  "Resources": {
    "ConfigRule": {
      "Type": "AWS::Config::ConfigRule",
      "Properties": {
        "ConfigRuleName": "access-keys-rotated",
        "InputParameters": {
          "maxAccessKeyAge": 100
        },
        "Source": {
          "Owner": "AWS",
          "SourceIdentifier": "ACCESS_KEYS_ROTATED"
        },
        "MaximumExecutionFrequency": "TwentyFour_Hours"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

Resources:
  ConfigRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: access-keys-rotated
      InputParameters:
        maxAccessKeyAge: 90
      Source:
        Owner: AWS
        SourceIdentifier: ACCESS_KEYS_ROTATED
      MaximumExecutionFrequency: TwentyFour_Hours

Negative test num. 2 - json file

{
  "Resources": {
    "ConfigRule": {
      "Type": "AWS::Config::ConfigRule",
      "Properties": {
        "MaximumExecutionFrequency": "TwentyFour_Hours",
        "ConfigRuleName": "access-keys-rotated",
        "InputParameters": {
          "maxAccessKeyAge": 90
        },
        "Source": {
          "SourceIdentifier": "ACCESS_KEYS_ROTATED",
          "Owner": "AWS"
        }
      }
    }
  }
}