GIven the following resource, kics will report issue "KMS Key Rotation Disabled"
myKey:
Type: AWS::KMS::Key
Properties:
Description: An example asymmetric CMK
EnableKeyRotation: false
KeyUsage: "SIGN_VERIFY"
KeySpec: "ECC_NIST_P256"
AWS documentation (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-enablekeyrotation) states:
AWS KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false.
Expected Behavior
"KMS Key Rotation Disabled" is reported only on symmetric encryption keys that support EnableKeyRotation=True
"KMS Key Rotation Disabled" is not reported on ineligible keys - i.e. asymmetric keys, EXTERNAL Origin keys, HMAC keys
Actual Behavior
"KMS Key Rotation Disabled" is reported as an issue on asymmetric keys
Steps to Reproduce the Problem
Scan CloudFormation template containing resource:
myKey:
Type: AWS::KMS::Key
Properties:
Description: An example asymmetric CMK
EnableKeyRotation: false
KeyUsage: "SIGN_VERIFY"
KeySpec: "ECC_NIST_P256"
Specifications
(N/A if not applicable)
- Version:
- Platform:
- Subsystem:
GIven the following resource, kics will report issue "KMS Key Rotation Disabled"
AWS documentation (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-enablekeyrotation) states:
Expected Behavior
"KMS Key Rotation Disabled" is reported only on symmetric encryption keys that support EnableKeyRotation=True
"KMS Key Rotation Disabled" is not reported on ineligible keys - i.e. asymmetric keys, EXTERNAL Origin keys, HMAC keys
Actual Behavior
"KMS Key Rotation Disabled" is reported as an issue on asymmetric keys
Steps to Reproduce the Problem
Scan CloudFormation template containing resource:
Specifications
(N/A if not applicable)