fix(cloudformation): scope KMS key rotation check to symmetric keys#8067
Open
arpitjain099 wants to merge 1 commit into
Open
fix(cloudformation): scope KMS key rotation check to symmetric keys#8067arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
AWS automatic key rotation only applies to symmetric encryption KMS keys whose key material was generated by KMS (KeySpec SYMMETRIC_DEFAULT, or absent, with a non-EXTERNAL Origin). Asymmetric keys, HMAC keys and keys with imported (EXTERNAL) material do not support EnableKeyRotation, so the query was reporting false positives on those ineligible keys. Guard both CxPolicy blocks so they only fire for rotation-eligible keys, and add fixtures covering RSA, ECC, HMAC and EXTERNAL-origin keys. Signed-off-by: arpitjain099 <arpitjain099@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #7337
Reason for Proposed Changes
KMS Key Rotation Disabled(kms_enable_key_rotation_disabled) reports a false positive on KMS keys that cannot use automatic rotation. BothCxPolicyblocks fire wheneverEnableKeyRotationisfalseor missing on anyAWS::KMS::Key, regardless of the key type.KeySpec: SYMMETRIC_DEFAULT. Asymmetric, HMAC, and EXTERNAL-origin keys must haveEnableKeyRotationomitted or set tofalse, so flagging them is incorrect.Proposed Changes
rotation_eligibleguard to bothCxPolicyblocks so the query only fires for keys that actually support automatic rotation:KeySpecequal toSYMMETRIC_DEFAULTor absent (the default), andOriginnot equal toEXTERNAL. TheOrigincheck excludes symmetric keys with imported key material, which also cannot be rotated automatically.RSA_2048key with rotation off, an asymmetricECC_NIST_P256key with noEnableKeyRotationproperty, anHMAC_256key with rotation off, and aSYMMETRIC_DEFAULTkey withOrigin: EXTERNAL(YAML and JSON).positive4.yaml) confirming symmetric keys withKeySpec: SYMMETRIC_DEFAULT(including an explicitOrigin: AWS_KMS) and rotation disabled are still flagged, and updatepositive_expected_result.json.Verification:
go test ./test/ -run 'TestQueries$/cloudFormation/aws/kms_enable_key_rotation_disabled'plus theTestQueriesContent(100% query coverage) andTestQueriesMetadatacases all pass. Reverting onlyquery.regowhile keeping the new fixtures makes the four new negative cases fail (they get flagged), which confirms the guard is what removes the false positives.I submit this contribution under the Apache-2.0 license.