CMK is unusable

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CMK is unusable

Metadata

Id: 133fee21-37ef-45df-a563-4d07edc169f4

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Availability

Learn More

Provider Reference

Description

KMS Customer Master Keys (CMKs) must be usable, as disabled or scheduled-for-deletion keys cannot decrypt data and may cause service outages or data inaccessibility.

In Ansible amazon.aws.kms_key tasks, ensure enabled is defined and set to true, and that pending_window is not defined. Tasks with enabled set to false or with enabled undefined are flagged. Any task that sets pending_window (scheduling the key for deletion) is also flagged because it renders the key unusable after the pending window expires.

Secure example for Ansible:

- name: create KMS key
  amazon.aws.kms_key:
    name: my-key
    description: "Key for encrypting secrets"
    state: present
    enabled: true

Compliant Code Examples

- name: Update IAM policy on an existing KMS key
  amazon.aws.kms_key:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: true

Non-Compliant Code Examples

- name: Update IAM policy on an existing KMS key2
  amazon.aws.kms_key:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    pending_window: 8

- name: Update IAM policy on an existing KMS key1
  amazon.aws.kms_key:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: false