CMK rotation disabled

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CMK rotation disabled

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: af96d737-0818-4162-8c41-40d969bd65d1

Cloud Provider: AWS

Platform: Ansible

Severity: Low

Category: Observability

Learn More

Provider Reference

Description

Customer Master Keys (CMKs) must have automatic key rotation enabled to limit how long a compromised key can be used and to meet key lifecycle and compliance requirements.

In Ansible, for tasks using the amazon.aws.kms_key module, when enabled: true and the key is not scheduled for deletion (no pending_window defined), the enable_key_rotation property must be present and set to true. Resources missing enable_key_rotation or with enable_key_rotation: false are flagged as misconfigured.

Secure configuration example:

- name: Create CMK with rotation enabled
  amazon.aws.kms_key:
    name: my-key
    enabled: true
    enable_key_rotation: true

Compliant Code Examples

- name: Update IAM policy on an existing KMS key3
  amazon.aws.kms_key:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: true
    enable_key_rotation: true

Non-Compliant Code Examples

- name: Update IAM policy on an existing KMS key2
  amazon.aws.kms_key:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: true
    enable_key_rotation: false

- name: Update IAM policy on an existing KMS key
  amazon.aws.kms_key:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: true