High KMS key rotation period

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > High KMS key rotation period

Metadata

Id: cb319d87-b90f-485e-a7e7-f2408380f309

Cloud Provider: Alicloud

Platform: Terraform

Severity: Medium

Category: Secret Management

Learn More

Provider Reference

Description

KMS keys should have automatic rotation enabled, and the rotation period must not exceed one year. This rule converts the resource’s rotation_interval (supports suffixes s, m, h, d) to seconds and flags values greater than 31536000. It also requires automatic_rotation to be set to Enabled; missing or Disabled values are reported. To remediate, set rotation_interval = "365d" and automatic_rotation = "Enabled".

Compliant Code Examples

resource "alicloud_kms_key" "key" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "7d"
}

Non-Compliant Code Examples

resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "366d"
}

resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Enabled"
  rotation_interval      = "31536010s"
}

resource "alicloud_kms_key" "keypos1" {
  description             = "Hello KMS"
  pending_window_in_days  = "7"
  status                  = "Enabled"
  automatic_rotation      = "Disabled"
}