github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/kms/auto_rotate_keys.go (about) 1 package kms 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/kms" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckAutoRotateKeys = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AWS-0065", 15 Provider: providers.AWSProvider, 16 Service: "kms", 17 ShortCode: "auto-rotate-keys", 18 Summary: "A KMS key is not configured to auto-rotate.", 19 Impact: "Long life KMS keys increase the attack surface when compromised", 20 Resolution: "Configure KMS key to auto rotate", 21 Explanation: `You should configure your KMS keys to auto rotate to maintain security and defend against compromise.`, 22 Links: []string{ 23 "https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html", 24 }, 25 Terraform: &scan.EngineMetadata{ 26 GoodExamples: terraformAutoRotateKeysGoodExamples, 27 BadExamples: terraformAutoRotateKeysBadExamples, 28 Links: terraformAutoRotateKeysLinks, 29 RemediationMarkdown: terraformAutoRotateKeysRemediationMarkdown, 30 }, 31 Severity: severity.Medium, 32 }, 33 func(s *state.State) (results scan.Results) { 34 for _, key := range s.AWS.KMS.Keys { 35 if key.Usage.EqualTo(kms.KeyUsageSignAndVerify) { 36 continue 37 } 38 if key.RotationEnabled.IsFalse() { 39 results.Add( 40 "Key does not have rotation enabled.", 41 key.RotationEnabled, 42 ) 43 } else { 44 results.AddPassed(&key) 45 } 46 } 47 return 48 }, 49 )