diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/query.rego b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/query.rego index 0f4f89c21c4..3daed6d54f8 100644 --- a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/query.rego @@ -6,7 +6,9 @@ import data.generic.cloudformation as cf_lib CxPolicy[result] { resources := input.document[i].Resources[name] resources.Type == "AWS::KMS::Key" - cf_lib.isCloudFormationFalse(resources.Properties.EnableKeyRotation) + properties := resources.Properties + rotation_eligible(properties) + cf_lib.isCloudFormationFalse(properties.EnableKeyRotation) result := { "documentId": input.document[i].id, @@ -23,6 +25,7 @@ CxPolicy[result] { resources := input.document[i].Resources[name] resources.Type == "AWS::KMS::Key" properties := resources.Properties + rotation_eligible(properties) not common_lib.valid_key(properties, "EnableKeyRotation") result := { @@ -35,3 +38,28 @@ CxPolicy[result] { "keyActualValue": sprintf("Resources.%s.Properties.EnableKeyRotation is undefined", [name]), } } + +# AWS automatic key rotation only applies to symmetric encryption keys whose key +# material was generated by KMS. Asymmetric keys, HMAC keys and keys with an +# imported (EXTERNAL) key origin do not support EnableKeyRotation, so they must +# not be flagged here. +rotation_eligible(properties) { + key_spec(properties) == "SYMMETRIC_DEFAULT" + key_origin(properties) != "EXTERNAL" +} + +# KeySpec defaults to SYMMETRIC_DEFAULT when it is not set. +key_spec(properties) = spec { + common_lib.valid_key(properties, "KeySpec") + spec := upper(properties.KeySpec) +} else = "SYMMETRIC_DEFAULT" { + true +} + +# Origin defaults to AWS_KMS (KMS-generated material) when it is not set. +key_origin(properties) = origin { + common_lib.valid_key(properties, "Origin") + origin := upper(properties.Origin) +} else = "AWS_KMS" { + true +} diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/negative4.yaml b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/negative4.yaml new file mode 100644 index 00000000000..e38b8347fdc --- /dev/null +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/negative4.yaml @@ -0,0 +1,36 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + myAsymmetricKey: + Type: AWS::KMS::Key + Properties: + Description: An example asymmetric CMK that cannot use automatic rotation + KeySpec: RSA_2048 + KeyUsage: ENCRYPT_DECRYPT + EnableKeyRotation: false + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: arn:aws:iam::111122223333:root + Action: kms:* + Resource: '*' + myAsymmetricKeyNoRotationField: + Type: AWS::KMS::Key + Properties: + Description: An example asymmetric CMK with no EnableKeyRotation property + KeySpec: ECC_NIST_P256 + KeyUsage: SIGN_VERIFY + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: arn:aws:iam::111122223333:root + Action: kms:* + Resource: '*' diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/negative5.json b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/negative5.json new file mode 100644 index 00000000000..9019e85c171 --- /dev/null +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/negative5.json @@ -0,0 +1,53 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "myHmacKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "An HMAC key does not support automatic rotation", + "KeySpec": "HMAC_256", + "KeyUsage": "GENERATE_VERIFY_MAC", + "EnableKeyRotation": false, + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": "kms:*", + "Resource": "*" + } + ] + } + } + }, + "myExternalKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "A symmetric key with imported material cannot use automatic rotation", + "KeySpec": "SYMMETRIC_DEFAULT", + "Origin": "EXTERNAL", + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": "kms:*", + "Resource": "*" + } + ] + } + } + } + } +} diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive4.yaml b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive4.yaml new file mode 100644 index 00000000000..bac4a0b7ae5 --- /dev/null +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive4.yaml @@ -0,0 +1,36 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + mySymmetricKeyRotationOff: + Type: AWS::KMS::Key + Properties: + Description: A symmetric key with KeySpec set explicitly and rotation disabled + KeySpec: SYMMETRIC_DEFAULT + EnableKeyRotation: false + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: arn:aws:iam::111122223333:root + Action: kms:* + Resource: '*' + mySymmetricKeyNoRotation: + Type: AWS::KMS::Key + Properties: + Description: A symmetric key with KeySpec and AWS_KMS origin, rotation disabled + KeySpec: SYMMETRIC_DEFAULT + Origin: AWS_KMS + EnableKeyRotation: false + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: arn:aws:iam::111122223333:root + Action: kms:* + Resource: '*' diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json index 4482b431b9a..f01e4b87ee0 100644 --- a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json @@ -34,5 +34,17 @@ "severity": "MEDIUM", "line": 51, "fileName": "positive3.yaml" + }, + { + "queryName": "KMS Key Rotation Disabled", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive4.yaml" + }, + { + "queryName": "KMS Key Rotation Disabled", + "severity": "MEDIUM", + "line": 26, + "fileName": "positive4.yaml" } ]