terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation

profile photo of semgrepsemgrep
Author
unknown
Download Count*

The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a enable_key_rotation.

Run Locally

Run in CI

Defintion

rules:
  - id: aws-kms-no-rotation
    patterns:
      - pattern-either:
          - pattern: |
              resource "aws_kms_key" $ANYTHING {
                ...
                enable_key_rotation = false
                ...
              }
          - pattern: |
              resource "aws_kms_key" $ANYTHING {
                ...
                customer_master_key_spec = "SYMMETRIC_DEFAULT"
                enable_key_rotation = false
                ...
              }
          - pattern: |
              resource "aws_kms_key" $ANYTHING {
                ...
              }
      - pattern-not-inside: |
          resource "aws_kms_key" $ANYTHING {
            ...
            enable_key_rotation = true
            ...
          }
      - pattern-not-inside: |
          resource "aws_kms_key" $ANYTHING {
            ...
            customer_master_key_spec = "RSA_2096"
            ...
          }
    message: The AWS KMS has no rotation. Missing rotation can cause leaked key to
      be used by attackers. To fix this, set a `enable_key_rotation`.
    languages:
      - hcl
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      technology:
        - aws
        - terraform
      category: security
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

aws-kms-no-rotation.tf

resource "aws_kms_key" "pass1" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
  enable_key_rotation = true
}

resource "aws_kms_key" "pass2" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
  customer_master_key_spec = "RSA_2096"
}

resource "aws_kms_key" "pass3" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  enable_key_rotation = true
}
# ruleid: aws-kms-no-rotation
resource "aws_kms_key" "fail1" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
}
# ruleid: aws-kms-no-rotation
resource "aws_kms_key" "fail2" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
  enable_key_rotation = false
}
# ruleid: aws-kms-no-rotation
resource "aws_kms_key" "fail3" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  enable_key_rotation = false
}
# ruleid: aws-kms-no-rotation
resource "aws_kms_key" "fail4" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
}