Ce produit n'est pas pris en charge par le
site Datadog que vous avez sélectionné. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 133fee21-37ef-45df-a563-4d07edc169f4
Cloud Provider: AWS
Platform: Ansible
Severity: Medium
Category: Availability
Learn More
Description
KMS Customer Master Keys (CMKs) must be usable, as disabled or scheduled-for-deletion keys cannot decrypt data and may cause service outages or data inaccessibility.
In Ansible amazon.aws.kms_key tasks, ensure enabled is defined and set to true, and that pending_window is not defined. Tasks with enabled set to false or with enabled undefined are flagged. Any task that sets pending_window (scheduling the key for deletion) is also flagged because it renders the key unusable after the pending window expires.
Secure example for Ansible:
- name: create KMS key
amazon.aws.kms_key:
name: my-key
description: "Key for encrypting secrets"
state: present
enabled: true
Compliant Code Examples
- name: Update IAM policy on an existing KMS key
amazon.aws.kms_key:
alias: my-kms-key
policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
state: present
enabled: true
Non-Compliant Code Examples
- name: Update IAM policy on an existing KMS key2
amazon.aws.kms_key:
alias: my-kms-key
policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
state: present
pending_window: 8
- name: Update IAM policy on an existing KMS key1
amazon.aws.kms_key:
alias: my-kms-key
policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
state: present
enabled: false
