High KMS key rotation period

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: cb319d87-b90f-485e-a7e7-f2408380f309

Cloud Provider: Alicloud

Platform: Terraform

Severity: Medium

Category: Secret Management

Learn More

Description

KMS keys should have automatic rotation enabled, and the rotation period must not exceed one year. This rule converts the resource’s rotation_interval (supports suffixes s, m, h, d) to seconds and flags values greater than 31536000. It also requires automatic_rotation to be set to Enabled; missing or Disabled values are reported. To remediate, set rotation_interval = "365d" and automatic_rotation = "Enabled".

Compliant Code Examples

resource "alicloud_kms_key" "key" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "7d"
}

Non-Compliant Code Examples

resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "366d"
}

resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "31536010s"
}

resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Disabled"
}