AWS Key Management Service (KMS) key is disabled
Description
Ensuring that your Amazon Key Management Service (AWS KMS) key is enabled is important because it determines whether the key can be used to perform cryptographic operations. When a key is enabled, it can be used to encrypt, decrypt, and generate data keys. When it is disabled, it cannot be used for these operations.
Code Example
go
resource "aws_kms_key" "pass" {
description = "description"
is_enabled = true
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*"
},
]
}
POLICY
tags = { test = "Fail" }
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0275 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_227 |