Default KMS Key Usage
- Query id: e52395b4-250b-4c60-81d5-2e58c1d37abc
- Query name: Default KMS Key Usage
- Platform: CloudFormation
- Severity: Medium
- Category: Encryption
- CWE: 311
- Risk score: 5.2
- URL: Github
Description¶
When StorageEncrypted is set to true, KmsKeyId should be defined, to avoid the use of the default KMS Key
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation Sample Template
Parameters:
DBUsername:
NoEcho: 'true'
Description: Username for MySQL database access
Type: String
MinLength: '1'
MaxLength: '16'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: must begin with a letter and contain only alphanumeric characters.
DBPassword:
NoEcho: 'true'
Description: Password MySQL database access
Type: String
MinLength: '8'
MaxLength: '41'
AllowedPattern: '[a-zA-Z0-9]*'
ConstraintDescription: must contain only alphanumeric characters.
Resources:
RDSCluster1:
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBClusterIdentifier: my-serverless-cluster
Engine: aurora
EngineVersion: 5.6.10a
EngineMode: serverless
ScalingConfiguration:
AutoPause: true
MinCapacity: 4
MaxCapacity: 32
SecondsUntilAutoPause: 1000
StorageEncrypted: true
Positive test num. 2 - json file
{
"Parameters": {
"DBUsername": {
"NoEcho": "true",
"Description": "Username for MySQL database access",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric characters."
},
"DBPassword": {
"Type": "String",
"MinLength": "8",
"MaxLength": "41",
"AllowedPattern": "[a-zA-Z0-9]*",
"ConstraintDescription": "must contain only alphanumeric characters.",
"NoEcho": "true",
"Description": "Password MySQL database access"
}
},
"Resources": {
"RDSCluster1": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"DBClusterIdentifier": "my-serverless-cluster",
"Engine": "aurora",
"EngineVersion": "5.6.10a",
"EngineMode": "serverless",
"ScalingConfiguration": {
"AutoPause": true,
"MinCapacity": 4,
"MaxCapacity": 32,
"SecondsUntilAutoPause": 1000
},
"StorageEncrypted": true,
"MasterUsername": "DBUsername",
"MasterUserPassword": "DBPassword"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "AWS CloudFormation Sample Template"
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation Sample Template
Parameters:
DBUsername:
NoEcho: 'true'
Description: Username for MySQL database access
Type: String
MinLength: '1'
MaxLength: '16'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: must begin with a letter and contain only alphanumeric characters.
DBPassword:
NoEcho: 'true'
Description: Password MySQL database access
Type: String
MinLength: '8'
MaxLength: '41'
AllowedPattern: '[a-zA-Z0-9]*'
ConstraintDescription: must contain only alphanumeric characters.
Resources:
RDSCluster1:
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBClusterIdentifier: my-serverless-cluster
Engine: aurora
EngineVersion: 5.6.10a
EngineMode: serverless
ScalingConfiguration:
AutoPause: "true"
MinCapacity: 4
MaxCapacity: 32
SecondsUntilAutoPause: 1000
StorageEncrypted: "true"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyKey:
Type: "AWS::KMS::Key"
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ""
- - "arn:aws:iam::"
- !Ref "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
MyDBSmall:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: !Ref DBInstanceType
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
KmsKeyId: !Ref MyKey
StorageEncrypted: true
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation Sample Template
Parameters:
DBUsername:
NoEcho: 'true'
Description: Username for MySQL database access
Type: String
MinLength: '1'
MaxLength: '16'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: must begin with a letter and contain only alphanumeric characters.
DBPassword:
NoEcho: 'true'
Description: Password MySQL database access
Type: String
MinLength: '8'
MaxLength: '41'
AllowedPattern: '[a-zA-Z0-9]*'
ConstraintDescription: must contain only alphanumeric characters.
Resources:
MyKey-0:
Type: "AWS::KMS::Key"
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ""
- - "arn:aws:iam::"
- !Ref "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
RDSCluster:
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBClusterIdentifier: my-serverless-cluster
Engine: aurora
EngineVersion: 5.6.10a
EngineMode: serverless
ScalingConfiguration:
AutoPause: true
MinCapacity: 4
MaxCapacity: 32
SecondsUntilAutoPause: 1000
KmsKeyId: !Ref MyKey-0
StorageEncrypted: true
Negative test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "RDS Storage Encrypted",
"Parameters": {
"SourceDBInstanceIdentifier": {
"Type": "String"
},
"DBInstanceType": {
"Type": "String"
},
"SourceRegion": {
"Type": "String"
}
},
"Resources": {
"MyKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Version": "2012-10-17T00:00:00Z",
"Id": "key-default-1",
"Statement": [
{
"Principal": {
"AWS": [
"",
[
"arn:aws:iam::",
"AWS::AccountId",
":root"
]
]
},
"Action": "kms:*",
"Resource": "*",
"Sid": "Enable IAM User Permissions",
"Effect": "Allow"
}
]
}
}
},
"MyDBSmall": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"SourceRegion": "SourceRegion",
"KmsKeyId": "MyKey",
"StorageEncrypted": true,
"DBInstanceClass": "DBInstanceType",
"SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier"
}
}
}
}
Negative test num. 4 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyKey:
Type: "AWS::KMS::Key"
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ""
- - "arn:aws:iam::"
- !Ref "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
MyDBSmall:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: !Ref DBInstanceType
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
KmsKeyId: !Ref MyKey
StorageEncrypted: "true"
Negative test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "AWS CloudFormation Sample Template",
"Parameters": {
"DBUsername": {
"MaxLength": "16",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.",
"NoEcho": "true",
"Description": "Username for MySQL database access",
"Type": "String",
"MinLength": "1"
},
"DBPassword": {
"Type": "String",
"MinLength": "8",
"MaxLength": "41",
"AllowedPattern": "[a-zA-Z0-9]*",
"ConstraintDescription": "must contain only alphanumeric characters.",
"NoEcho": "true",
"Description": "Password MySQL database access"
}
},
"Resources": {
"MyKey-0": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Version": "2012-10-17T00:00:00Z",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"",
[
"arn:aws:iam::",
"AWS::AccountId",
":root"
]
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"RDSCluster": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"StorageEncrypted": true,
"MasterUsername": "DBUsername",
"DBClusterIdentifier": "my-serverless-cluster",
"ScalingConfiguration": {
"MinCapacity": 4,
"MaxCapacity": 32,
"SecondsUntilAutoPause": 1000,
"AutoPause": true
},
"EngineMode": "serverless",
"KmsKeyId": "MyKey-0",
"MasterUserPassword": "DBPassword",
"Engine": "aurora",
"EngineVersion": "5.6.10a"
}
}
}
}