Skip to content

bug(cloudformation): false positive kms key rotation disabled is reported on ineligible keys #7337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
funkdoodle opened this issue Feb 17, 2025 · 1 comment
Open

bug(cloudformation): false positive kms key rotation disabled is reported on ineligible keys #7337

funkdoodle opened this issue Feb 17, 2025 · 1 comment
Assignees
@funkdoodle
Labels
aws PR related with AWS Cloud bug Something isn't working cloudformation CloudFormation query community Community contribution

Comments

@funkdoodle
Copy link

GIven the following resource, kics will report issue "KMS Key Rotation Disabled"

  myKey:
    Type: AWS::KMS::Key
    Properties:
      Description: An example asymmetric CMK
      EnableKeyRotation: false
      KeyUsage: "SIGN_VERIFY"
      KeySpec: "ECC_NIST_P256"

AWS documentation (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-enablekeyrotation) states:

AWS KMS supports automatic rotation only for symmetric encryption KMS keys (KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false.

Expected Behavior

"KMS Key Rotation Disabled" is reported only on symmetric encryption keys that support EnableKeyRotation=True

"KMS Key Rotation Disabled" is not reported on ineligible keys - i.e. asymmetric keys, EXTERNAL Origin keys, HMAC keys

Actual Behavior

"KMS Key Rotation Disabled" is reported as an issue on asymmetric keys

Steps to Reproduce the Problem

Scan CloudFormation template containing resource:

  myKey:
    Type: AWS::KMS::Key
    Properties:
      Description: An example asymmetric CMK
      EnableKeyRotation: false
      KeyUsage: "SIGN_VERIFY"
      KeySpec: "ECC_NIST_P256"

Specifications

(N/A if not applicable)

  • Version:
  • Platform:
  • Subsystem:
@funkdoodle funkdoodle added bug Something isn't working community Community contribution labels Feb 17, 2025
@github-actions github-actions bot added cloudformation CloudFormation query aws PR related with AWS Cloud labels Feb 17, 2025
@cx-artur-ribeiro
Copy link
Contributor

Hey @funkdoodle,

Thanks again for the detailed report, at first glance, you definitely seem to be right👌.

The query is intended to catch cases where automatic key rotation isn’t enabled for symmetric KMS keys. According to the AWS documentation, key rotation only applies to KeySpec: SYMMETRIC_DEFAULT. For asymmetric, HMAC, or EXTERNAL origin keys, the EnableKeyRotation property should be omitted or explicitly set to false.

While the query message itself is correct (it expects rotation to be enabled), the logic is flawed. It's currently checking EnableKeyRotation == false without validating the key type. That’s why your asymmetric key was incorrectly flagged.

We'll update the logic to scope this check only to symmetric keys and send it through our internal AppSec approval process. I’ll keep you posted as things progress.

Thanks again for catching this!
If you need anything else, feel free to reach out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@funkdoodle funkdoodle

Labels
aws PR related with AWS Cloud bug Something isn't working cloudformation CloudFormation query community Community contribution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cx-artur-ribeiro @funkdoodle