CMK is unusable

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CMK is unusable

Metadata

Id: ed6e3ba0-278f-47b6-a1f5-173576b40b7e

Cloud Provider: Alicloud

Platform: Terraform

Severity: Medium

Category: Availability

Learn More

Provider Reference

Description

Alicloud KMS must only include enabled Customer Master Keys (CMKs). This rule flags alicloud_kms_key resources when:

is_enabled is explicitly set to false (IncorrectValue), or
is_enabled is missing (MissingAttribute)

To remediate, set or update is_enabled = true.

Compliant Code Examples

resource "alicloud_kms_key" "key" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  is_enabled              = true
}

Non-Compliant Code Examples

resource "alicloud_kms_key" "key" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  is_enabled              = false
}

resource "alicloud_kms_key" "key" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
}