Enforce automatic key rotation for KMS service
resource "aws_kms_key" "mykey" {
description = "This is my KMS key"
deletion_window_in_days = 10
enable_key_rotation = false
}
The code above represents a Terraform configuration for an AWS Key Management Service (KMS) key. The vulnerability lies in the
enable_key_rotation
attribute which is set to
false
.
The
enable_key_rotation
attribute determines whether the KMS key rotates every year or not. When the attribute is set to
false
, the key does not rotate, meaning it remains static. This means that the same key is used over a long period of time which increases the chances of the key being compromised.
In the context of AWS KMS, key rotation is a security best practice because it reduces the potential impact of a compromised key as data encrypted with a new key cannot be accessed with an old key. Therefore, by not enabling key rotation, the infrastructure is more susceptible to key compromise which can lead to unauthorized access to encrypted data.
resource "aws_kms_key" "mykey" {
description = "This is my KMS key"
deletion_window_in_days = 10
enable_key_rotation = true
}
The above code is a fixed version of the vulnerable code. The vulnerability was due to the
enable_key_rotation
attribute being set to
false
in the
aws_kms_key
resource. This means that the KMS key was not being rotated automatically, which could potentially lead to a security risk as static keys over long periods are more likely to be compromised.
In the fixed code, the
enable_key_rotation
attribute is set to
true
. This means that AWS will automatically rotate the KMS key every year. This greatly reduces the risk of the key being compromised as it is regularly changed.
This is a best practice for managing AWS KMS keys, as it ensures that keys are not static and are regularly updated, reducing the potential attack surface for malicious actors.