This product is not supported for your selected
Datadog site. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 22fbfeac-7b5a-421a-8a27-7a2178bb910b
Cloud Provider: aws
Framework: Terraform
Severity: Low
Category: Observability
Learn More
Description
Customer Master Keys (CMKs) created using AWS Key Management Service (KMS) should have automatic key rotation enabled to enhance cryptographic security. Failing to set the enable_key_rotation attribute to true may increase the risk of key compromise, as cryptographic keys used over extended periods are more susceptible to brute-force or other attacks. Enabling rotation ensures the key material is automatically replaced annually, reducing exposure and supporting compliance with security best practices.
resource "aws_kms_key" "example" {
description = "KMS key with rotation enabled"
is_enabled = true
enable_key_rotation = true
}
Compliant Code Examples
resource "aws_kms_key" "negative3" {
description = "KMS key 3"
customer_master_key_spec = "RSA_2048"
}
resource "aws_kms_key" "negative2" {
description = "KMS key 2"
customer_master_key_spec = "RSA_4096"
}
resource "aws_kms_key" "negative1" {
description = "KMS key 1"
is_enabled = true
enable_key_rotation = true
}
Non-Compliant Code Examples
resource "aws_kms_key" "positive2" {
description = "KMS key 2"
is_enabled = true
enable_key_rotation = false
}
resource "aws_kms_key" "positive3" {
description = "KMS key 3"
is_enabled = true
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = false
}
resource "aws_kms_key" "positive4" {
description = "KMS key 4"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = false
}
