CMK Is Unusable
- Query id: 2844c749-bd78-4cd1-90e8-b179df827602
- Query name: CMK Is Unusable
- Platform: CloudFormation
- Severity: Medium
- Category: Availability
- CWE: 284
- URL: Github
Description¶
AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
myKey:
Type: AWS::KMS::Key
Properties:
Enabled: false
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- Key:
Ref: Key
Value:
Ref: Value
myKey2:
Type: AWS::KMS::Key
Properties:
Enabled: true
PendingWindowInDays: 7
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- Key:
Ref: Key
Value:
Ref: Value
Parameters:
Key:
Type: String
Value:
Type: String
Positive test num. 2 - json file
{
"Resources": {
"myKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": false,
"KeyPolicy": {
"Id": "key-default-1",
"Statement": [
{
"Resource": "*",
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*"
}
],
"Version": "2012-10-17"
},
"Tags": [
{
"Key": {
"Ref": "Key"
},
"Value": {
"Ref": "Value"
}
}
]
}
},
"myKey2": {
"Type": "AWS::KMS::Key",
"Properties": {
"Tags": [
{
"Key": {
"Ref": "Key"
},
"Value": {
"Ref": "Value"
}
}
],
"Enabled": true,
"PendingWindowInDays": 7,
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"Parameters": {
"Key": {
"Type": "String"
},
"Value": {
"Type": "String"
}
}
}
}
Positive test num. 3 - yaml file
Resources:
myKey:
Type: AWS::KMS::Key
Properties:
Enabled: "false"
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- Key:
Ref: Key
Value:
Ref: Value
Parameters:
Key:
Type: String
Value:
Type: String
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
myKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- Key:
Ref: Key
Value:
Ref: Value
Parameters:
Key:
Type: String
Value:
Type: String
Negative test num. 2 - json file
{
"Resources": {
"myKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": true,
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Tags": [
{
"Key": {
"Ref": "Key"
},
"Value": {
"Ref": "Value"
}
}
]
}
}
},
"Parameters": {
"Key": {
"Type": "String"
},
"Value": {
"Type": "String"
}
}
}
Negative test num. 3 - yaml file
Resources:
myKey:
Type: AWS::KMS::Key
Properties:
Enabled: "true"
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
Tags:
- Key:
Ref: Key
Value:
Ref: Value
Parameters:
Key:
Type: String
Value:
Type: String