KMS Key With Vulnerable Policy
- Query id: 7ebc9038-0bde-479a-acc4-6ed7b6758899
- Query name: KMS Key With Vulnerable Policy
- Platform: Terraform
- Severity: High
- Category: Insecure Configurations
- CWE: 732
- URL: Github
Description¶
Checks if the policy is vulnerable and needs updating.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_kms_key" "positive1" {
description = "KMS key 1"
deletion_window_in_days = 10
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AddCannedAcl",
"Effect":"Allow",
"Principal": {"AWS":"*"},
"Action":["kms:*"],
"Resource":"*"
}
]
}
POLICY
}
Positive test num. 2 - tf file
resource "aws_kms_key" "positive1" {
description = "KMS key 1"
deletion_window_in_days = 10
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AddCannedAcl",
"Effect":"Allow",
"Principal": "*",
"Action":["kms:*"],
"Resource":"*"
}
]
}
POLICY
}
Positive test num. 3 - tf file
resource "aws_kms_key" "positive3" {
description = "KMS key 1"
deletion_window_in_days = 10
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_kms_key" "negative1" {
description = "KMS key 1"
deletion_window_in_days = 10
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AddCannedAcl",
"Effect":"Deny",
"Principal": {"AWS": [
"arn:aws:iam::111122223333:user/CMKUser"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource":"*"
}
]
}
POLICY
}