For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-cmk-rotation-disabled.md.
A documentation index is available at /llms.txt.
AWS KMS Customer Master Keys (CMKs) must have automatic key rotation enabled to limit the exposure of long-lived cryptographic keys and reduce the impact if a key is compromised.
This rule applies to AWS::KMS::Key resources that are enabled (Properties.Enabled set to true) and not pending deletion. Such keys must define Properties.EnableKeyRotation set to true. Resources missing EnableKeyRotation or with EnableKeyRotation set to false will be flagged. Keys that have Properties.PendingWindowInDays defined (indicating pending deletion) are excluded from this requirement.
#this code is a correct code for which the query should not find any resultResources:myKey:Type:AWS::KMS::KeyProperties:Enabled:trueEnableKeyRotation:trueKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:Fn::Join:- ''- - 'arn:aws:iam::'- Ref:AWS::AccountId- :rootAction:kms:*Resource:'*'Tags:- Key:Ref:KeyValue:Ref:ValueParameters:Key:Type:StringValue:Type:String
{"Resources":{"myKey":{"Type":"AWS::KMS::Key","Properties":{"Enabled":true,"EnableKeyRotation":true,"KeyPolicy":{"Version":"2012-10-17","Id":"key-default-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:aws:iam::",{"Ref":"AWS::AccountId"},":root"]]}},"Action":"kms:*","Resource":"*"}]},"Tags":[{"Key":{"Ref":"Key"},"Value":{"Ref":"Value"}}]}}},"Parameters":{"Key":{"Type":"String"},"Value":{"Type":"String"}}}
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)Resources:myKey:Type:AWS::KMS::KeyProperties:Enabled:trueKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:Fn::Join:- ''- - 'arn:aws:iam::'- Ref:AWS::AccountId- :rootAction:kms:*Resource:'*'Tags:- Key:Ref:KeyValue:Ref:ValuemyKey2:Type:AWS::KMS::KeyProperties:Enabled:trueEnableKeyRotation:falseKeyPolicy:Version:'2012-10-17'Id:key-default-1Statement:- Sid:Enable IAM User PermissionsEffect:AllowPrincipal:AWS:Fn::Join:- ''- - 'arn:aws:iam::'- Ref:AWS::AccountId- :rootAction:kms:*Resource:'*'Tags:- Key:Ref:KeyValue:Ref:ValueParameters:Key:Type:StringValue:Type:String
{"Resources":{"myKey":{"Type":"AWS::KMS::Key","Properties":{"Enabled":true,"KeyPolicy":{"Version":"2012-10-17","Id":"key-default-1","Statement":[{"Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:aws:iam::",{"Ref":"AWS::AccountId"},":root"]]}},"Action":"kms:*","Resource":"*","Sid":"Enable IAM User Permissions"}]},"Tags":[{"Key":{"Ref":"Key"},"Value":{"Ref":"Value"}}]}},"myKey2":{"Type":"AWS::KMS::Key","Properties":{"Enabled":true,"EnableKeyRotation":false,"KeyPolicy":{"Version":"2012-10-17","Id":"key-default-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:aws:iam::",{"Ref":"AWS::AccountId"},":root"]]}},"Action":"kms:*","Resource":"*"}]},"Tags":[{"Key":{"Ref":"Key"},"Value":{"Ref":"Value"}}]}}},"Parameters":{"Key":{"Type":"String"},"Value":{"Type":"String"}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
