For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-cmk-is-unusable.md.
A documentation index is available at /llms.txt.
AWS KMS Customer Master Keys (CMKs) used by your stack must be usable so encrypted data can be decrypted and cryptographic operations succeed. Disabled keys or keys scheduled for deletion can lead to decryption failures, service outages, or permanent data loss.
In CloudFormation, AWS::KMS::Key resources must have Properties.Enabled set to true and must not define the Properties.PendingWindowInDays property. Resources missing Enabled or with Enabled set to false will be flagged as unusable. Any resource that defines PendingWindowInDays will be flagged because that indicates the key is scheduled for deletion.
Secure example (enable the key and omit pending-deletion settings):
MyKey:Type:AWS::KMS::KeyProperties:Enabled:true
Compliant Code Examples
#this code is a correct code for which the query should not find any resultResources:myKey:Type:AWS::KMS::KeyProperties:Enabled:trueKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:Fn::Join:- ''- - 'arn:aws:iam::'- Ref:AWS::AccountId- :rootAction:kms:*Resource:'*'Tags:- Key:Ref:KeyValue:Ref:ValueParameters:Key:Type:StringValue:Type:String
{"Resources":{"myKey":{"Type":"AWS::KMS::Key","Properties":{"Enabled":true,"KeyPolicy":{"Version":"2012-10-17","Id":"key-default-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:aws:iam::",{"Ref":"AWS::AccountId"},":root"]]}},"Action":"kms:*","Resource":"*"}]},"Tags":[{"Key":{"Ref":"Key"},"Value":{"Ref":"Value"}}]}}},"Parameters":{"Key":{"Type":"String"},"Value":{"Type":"String"}}}
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)Resources:myKey:Type:AWS::KMS::KeyProperties:Enabled:falseKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:Fn::Join:- ''- - 'arn:aws:iam::'- Ref:AWS::AccountId- :rootAction:kms:*Resource:'*'Tags:- Key:Ref:KeyValue:Ref:ValuemyKey2:Type:AWS::KMS::KeyProperties:Enabled:truePendingWindowInDays:7KeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:Fn::Join:- ''- - 'arn:aws:iam::'- Ref:AWS::AccountId- :rootAction:kms:*Resource:'*'Tags:- Key:Ref:KeyValue:Ref:ValueParameters:Key:Type:StringValue:Type:String
{"Resources":{"myKey":{"Type":"AWS::KMS::Key","Properties":{"Enabled":false,"KeyPolicy":{"Id":"key-default-1","Statement":[{"Resource":"*","Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:aws:iam::",{"Ref":"AWS::AccountId"},":root"]]}},"Action":"kms:*"}],"Version":"2012-10-17"},"Tags":[{"Key":{"Ref":"Key"},"Value":{"Ref":"Value"}}]}},"myKey2":{"Type":"AWS::KMS::Key","Properties":{"Tags":[{"Key":{"Ref":"Key"},"Value":{"Ref":"Value"}}],"Enabled":true,"PendingWindowInDays":7,"KeyPolicy":{"Version":"2012-10-17","Id":"key-default-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:aws:iam::",{"Ref":"AWS::AccountId"},":root"]]}},"Action":"kms:*","Resource":"*"}]}}},"Parameters":{"Key":{"Type":"String"},"Value":{"Type":"String"}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
