Skip to main content

Insecure service configuration - KMS

Description

The automatic key rotation for the KMS service is disabled. By keeping static keys during long periods the chances to compromise a valid key are higher.

Impact

Increase the chance to get valid keys.

Recommendation

Enable the automatic key rotation for all the service keys.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R
  • Score:
    • Base: 3.7
    • Temporal: 3.2
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The resource has automatic key rotation enabled

Resources:
key1:
Type: 'AWS::KMS::Key'
Properties:
Description: An example multi-Region primary key
MultiRegion: true
EnableKeyRotation: true
PendingWindowInDays: 10
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: 'arn:aws:iam::111122223333:root'
Action: 'kms:*'
Resource: '*'
resource "aws_kms_key" "a" {
customer_master_key_spec = "SYMMETRIC_DEFAULT"
description = "KMS key 1"
deletion_window_in_days = 10
enable_key_rotation = true
}

Non compliant code

The resource does not enable automatic key rotation within allowable limits

Resources:
key1:
Type: 'AWS::KMS::Key'
Properties:
Description: An example multi-Region primary key
MultiRegion: true
EnableKeyRotation: false
PendingWindowInDays: 10
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: 'arn:aws:iam::111122223333:root'
Action: 'kms:*'
Resource: '*'
resource "aws_kms_key" "a" {
customer_master_key_spec = "SYMMETRIC_DEFAULT"
description = "KMS key 1"
deletion_window_in_days = 10
enable_key_rotation = false
}

Using the AWS CLI, the following command verifies the Key Rotation flag for a selected CMK

$ aws kms get-key-rotation-status
--key-id {CMK_id}

If command output returns false for the KeyRotationEnabled flag, the service has an insecure configuration

Requirements