High KMS Key Rotation Period

• Query id: cb319d87-b90f-485e-a7e7-f2408380f309
• Query name: High KMS Key Rotation Period
• Platform: Terraform
• Severity: Medium
• Category: Secret Management
• URL: Github

Description

KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Disabled"
}

Positive test num. 2 - tf file

resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "366d"
}

Positive test num. 3 - tf file

resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "31536010s"
}

Positive test num. 4 - tf file

resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "alicloud_kms_key" "key" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "7d"
}