CMK rotation disabled

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CMK rotation disabled

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 22fbfeac-7b5a-421a-8a27-7a2178bb910b

Cloud Provider: aws

Framework: Terraform

Severity: Low

Category: Observability

Learn More

Provider Reference

Description

Customer Master Keys (CMKs) created using AWS Key Management Service (KMS) should have automatic key rotation enabled to enhance cryptographic security. Failing to set the enable_key_rotation attribute to true may increase the risk of key compromise, as cryptographic keys used over extended periods are more susceptible to brute-force or other attacks. Enabling rotation ensures the key material is automatically replaced annually, reducing exposure and supporting compliance with security best practices.

resource "aws_kms_key" "example" {
  description         = "KMS key with rotation enabled"
  is_enabled          = true
  enable_key_rotation = true
}

Compliant Code Examples

resource "aws_kms_key" "negative3" {
  description              = "KMS key 3"
  customer_master_key_spec = "RSA_2048"
}

resource "aws_kms_key" "negative2" {
  description              = "KMS key 2"
  customer_master_key_spec = "RSA_4096"
}

resource "aws_kms_key" "negative1" {
  description         = "KMS key 1"
  is_enabled          = true
  enable_key_rotation = true
}

Non-Compliant Code Examples

resource "aws_kms_key" "positive2" {
  description         = "KMS key 2"
  is_enabled          = true
  enable_key_rotation = false
}

resource "aws_kms_key" "positive3" {
  description              = "KMS key 3"
  is_enabled               = true
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  enable_key_rotation      = false
}

resource "aws_kms_key" "positive4" {
  description              = "KMS key 4"
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  enable_key_rotation      = false
}