Insecure service configuration - KMS
Need
Enforce automatic key rotation for KMS service
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS KMS Key for encryption and decryption of data
Description
Non compliant code
resource "aws_kms_key" "mykey" {
description = "This is my KMS key"
deletion_window_in_days = 10
enable_key_rotation = false
}
The code above represents a Terraform configuration for an AWS Key Management Service (KMS) key. The vulnerability lies in the enable_key_rotation attribute which is set to false.
The enable_key_rotation attribute determines whether the KMS key rotates every year or not. When the attribute is set to false, the key does not rotate, meaning it remains static. This means that the same key is used over a long period of time which increases the chances of the key being compromised.
In the context of AWS KMS, key rotation is a security best practice because it reduces the potential impact of a compromised key as data encrypted with a new key cannot be accessed with an old key. Therefore, by not enabling key rotation, the infrastructure is more susceptible to key compromise which can lead to unauthorized access to encrypted data.
Steps
- Enable automatic key rotation for the KMS key
- Set the 'enable_key_rotation' attribute to 'true' in the 'aws_kms_key' resource
Compliant code
resource "aws_kms_key" "mykey" {
description = "This is my KMS key"
deletion_window_in_days = 10
enable_key_rotation = true
}
The above code is a fixed version of the vulnerable code. The vulnerability was due to the enable_key_rotation attribute being set to false in the aws_kms_key resource. This means that the KMS key was not being rotated automatically, which could potentially lead to a security risk as static keys over long periods are more likely to be compromised.
In the fixed code, the enable_key_rotation attribute is set to true. This means that AWS will automatically rotate the KMS key every year. This greatly reduces the risk of the key being compromised as it is regularly changed.
This is a best practice for managing AWS KMS keys, as it ensures that keys are not static and are regularly updated, reducing the potential attack surface for malicious actors.