fix(cloudformation): scope KMS key rotation check to symmetric keys

assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/query.rego

@@ -6,7 +6,9 @@ import data.generic.cloudformation as cf_lib
 CxPolicy[result] {
 	resources := input.document[i].Resources[name]
 	resources.Type == "AWS::KMS::Key"
-	cf_lib.isCloudFormationFalse(resources.Properties.EnableKeyRotation)
+	properties := resources.Properties
+	rotation_eligible(properties)
+	cf_lib.isCloudFormationFalse(properties.EnableKeyRotation)
 
 	result := {
 		"documentId": input.document[i].id,
@@ -23,6 +25,7 @@ CxPolicy[result] {
 	resources := input.document[i].Resources[name]
 	resources.Type == "AWS::KMS::Key"
 	properties := resources.Properties
+	rotation_eligible(properties)
 	not common_lib.valid_key(properties, "EnableKeyRotation")
 
 	result := {
@@ -35,3 +38,28 @@ CxPolicy[result] {
 		"keyActualValue": sprintf("Resources.%s.Properties.EnableKeyRotation is undefined", [name]),
 	}
 }
+
+# AWS automatic key rotation only applies to symmetric encryption keys whose key
+# material was generated by KMS. Asymmetric keys, HMAC keys and keys with an
+# imported (EXTERNAL) key origin do not support EnableKeyRotation, so they must
+# not be flagged here.
+rotation_eligible(properties) {
+	key_spec(properties) == "SYMMETRIC_DEFAULT"
+	key_origin(properties) != "EXTERNAL"
+}
+
+# KeySpec defaults to SYMMETRIC_DEFAULT when it is not set.
+key_spec(properties) = spec {
+	common_lib.valid_key(properties, "KeySpec")
+	spec := upper(properties.KeySpec)
+} else = "SYMMETRIC_DEFAULT" {
+	true
+}
+
+# Origin defaults to AWS_KMS (KMS-generated material) when it is not set.
+key_origin(properties) = origin {
+	common_lib.valid_key(properties, "Origin")
+	origin := upper(properties.Origin)
+} else = "AWS_KMS" {
+	true
+}

assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/negative4.yaml

@@ -0,0 +1,36 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: A sample template
+Resources:
+  myAsymmetricKey:
+    Type: AWS::KMS::Key
+    Properties:
+      Description: An example asymmetric CMK that cannot use automatic rotation
+      KeySpec: RSA_2048
+      KeyUsage: ENCRYPT_DECRYPT
+      EnableKeyRotation: false
+      KeyPolicy:
+        Version: '2012-10-17'
+        Id: key-default-1
+        Statement:
+        - Sid: Enable IAM User Permissions
+          Effect: Allow
+          Principal:
+            AWS: arn:aws:iam::111122223333:root
+          Action: kms:*
+          Resource: '*'
+  myAsymmetricKeyNoRotationField:
+    Type: AWS::KMS::Key
+    Properties:
+      Description: An example asymmetric CMK with no EnableKeyRotation property
+      KeySpec: ECC_NIST_P256
+      KeyUsage: SIGN_VERIFY
+      KeyPolicy:
+        Version: '2012-10-17'
+        Id: key-default-1
+        Statement:
+        - Sid: Enable IAM User Permissions
+          Effect: Allow
+          Principal:
+            AWS: arn:aws:iam::111122223333:root
+          Action: kms:*
+          Resource: '*'

assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/negative5.json

@@ -0,0 +1,53 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
+  "Description": "A sample template",
+  "Resources": {
+    "myHmacKey": {
+      "Type": "AWS::KMS::Key",
+      "Properties": {
+        "Description": "An HMAC key does not support automatic rotation",
+        "KeySpec": "HMAC_256",
+        "KeyUsage": "GENERATE_VERIFY_MAC",
+        "EnableKeyRotation": false,
+        "KeyPolicy": {
+          "Version": "2012-10-17",
+          "Id": "key-default-1",
+          "Statement": [
+            {
+              "Sid": "Enable IAM User Permissions",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "arn:aws:iam::111122223333:root"
+              },
+              "Action": "kms:*",
+              "Resource": "*"
+            }
+          ]
+        }
+      }
+    },
+    "myExternalKey": {
+      "Type": "AWS::KMS::Key",
+      "Properties": {
+        "Description": "A symmetric key with imported material cannot use automatic rotation",
+        "KeySpec": "SYMMETRIC_DEFAULT",
+        "Origin": "EXTERNAL",
+        "KeyPolicy": {
+          "Version": "2012-10-17",
+          "Id": "key-default-1",
+          "Statement": [
+            {
+              "Sid": "Enable IAM User Permissions",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "arn:aws:iam::111122223333:root"
+              },
+              "Action": "kms:*",
+              "Resource": "*"
+            }
+          ]
+        }
+      }
+    }
+  }
+}

assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive4.yaml

@@ -0,0 +1,36 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: A sample template
+Resources:
+  mySymmetricKeyRotationOff:
+    Type: AWS::KMS::Key
+    Properties:
+      Description: A symmetric key with KeySpec set explicitly and rotation disabled
+      KeySpec: SYMMETRIC_DEFAULT
+      EnableKeyRotation: false
+      KeyPolicy:
+        Version: '2012-10-17'
+        Id: key-default-1
+        Statement:
+        - Sid: Enable IAM User Permissions
+          Effect: Allow
+          Principal:
+            AWS: arn:aws:iam::111122223333:root
+          Action: kms:*
+          Resource: '*'
+  mySymmetricKeyNoRotation:
+    Type: AWS::KMS::Key
+    Properties:
+      Description: A symmetric key with KeySpec and AWS_KMS origin, rotation disabled
+      KeySpec: SYMMETRIC_DEFAULT
+      Origin: AWS_KMS
+      EnableKeyRotation: false
+      KeyPolicy:
+        Version: '2012-10-17'
+        Id: key-default-1
+        Statement:
+        - Sid: Enable IAM User Permissions
+          Effect: Allow
+          Principal:
+            AWS: arn:aws:iam::111122223333:root
+          Action: kms:*
+          Resource: '*'

assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json

@@ -34,5 +34,17 @@
     "severity": "MEDIUM",
     "line": 51,
     "fileName": "positive3.yaml"
+  },
+  {
+    "queryName": "KMS Key Rotation Disabled",
+    "severity": "MEDIUM",
+    "line": 9,
+    "fileName": "positive4.yaml"
+  },
+  {
+    "queryName": "KMS Key Rotation Disabled",
+    "severity": "MEDIUM",
+    "line": 26,
+    "fileName": "positive4.yaml"
   }
 ]