KMS key with no deletion window

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 0b530315-0ea4-497f-b34c-4ff86268f59d

Cloud Provider: AWS

Platform: Terraform

Severity: Low

Category: Observability

Learn More

Description

When creating an AWS KMS key using Terraform, the deletion_window_in_days attribute specifies the waiting period before a key is permanently deleted after a deletion request. If this attribute is not set or is configured with an excessively high value, such as deletion_window_in_days = 31, it can delay key deletion and increase exposure to accidental or malicious use if a compromised key remains active for longer than necessary. Setting a minimal but valid window, such as deletion_window_in_days = 10, reduces this risk by ensuring that keys are deleted more promptly after they are scheduled for removal.

resource "aws_kms_key" "negative1" {
  description             = "KMS key 1"

  is_enabled = true

  enable_key_rotation = true

  deletion_window_in_days = 10
}

Compliant Code Examples

resource "aws_kms_key" "negative1" {
  description             = "KMS key 1"
  
  is_enabled = true

  enable_key_rotation = true

  deletion_window_in_days = 10
}

Non-Compliant Code Examples

resource "aws_kms_key" "positive1" {
  description             = "KMS key 1"
  
  is_enabled = true

  enable_key_rotation = true

}


resource "aws_kms_key" "positive2" {
  description             = "KMS key 1"
  
  is_enabled = true

  enable_key_rotation = true

  deletion_window_in_days = 31
}