CMK rotation disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CMK rotation disabled

Metadata

Id: af96d737-0818-4162-8c41-40d969bd65d1

Cloud Provider: AWS

Platform: Ansible

Severity: Low

Category: Observability

Learn More

Provider Reference

Description

Customer Master Keys (CMKs) must have automatic key rotation enabled to limit how long a compromised key can be used and to meet key lifecycle and compliance requirements.

In Ansible, for tasks using the amazon.aws.kms_key module, when enabled: true and the key is not scheduled for deletion (no pending_window defined), the enable_key_rotation property must be present and set to true. Resources missing enable_key_rotation or with enable_key_rotation: false are flagged as misconfigured.

Secure configuration example:

- name: Create CMK with rotation enabled
  amazon.aws.kms_key:
    name: my-key
    enabled: true
    enable_key_rotation: true

Compliant Code Examples

- name: Update IAM policy on an existing KMS key3
  amazon.aws.kms_key:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: true
    enable_key_rotation: true

Non-Compliant Code Examples

- name: Update IAM policy on an existing KMS key2
  amazon.aws.kms_key:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: true
    enable_key_rotation: false

- name: Update IAM policy on an existing KMS key
  amazon.aws.kms_key:
    alias: my-kms-key
    policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { <SOME STATEMENT> } ]}'
    state: present
    enabled: true