Skip to content

Commit

Permalink
fix(query): fix/cmk rotation disabled on terraform asymmetric key cre…
Browse files Browse the repository at this point in the history 
…ation (#5344)

* fix support for AWS KMS in asymmetric keys - do not support automation key rotation

* fix support for AWS KMS in asymmetric keys - do not support automation key rotation

* fix support for AWS KMS in asymmetric keys - do not support automation key rotation

* fix support for AWS KMS in asymmetric keys - do not support automation key rotation

* fix support for AWS KMS in asymmetric keys - do not support automation key rotation

* fix support for AWS KMS in asymmetric keys - do not support automation key rotation

* fix support for AWS KMS in asymmetric keys - do not support automation key rotation

* fix support for AWS KMS in asymmetric keys - do not support automation key rotation

* fix support for AWS KMS in asymmetric keys - do not support automation key rotation

* fix support for AWS KMS in asymmetric keys - do not support automation key rotation

* Update assets/queries/terraform/aws/cmk_rotation_disabled/query.rego

Co-authored-by: Rafaela Soares <[email protected]>

* Update assets/queries/terraform/aws/cmk_rotation_disabled/query.rego

Co-authored-by: Rafaela Soares <[email protected]>

* Update assets/queries/terraform/aws/cmk_rotation_disabled/query.rego

Co-authored-by: Rafaela Soares <[email protected]>

* Update assets/queries/terraform/aws/cmk_rotation_disabled/query.rego

Co-authored-by: Rafaela Soares <[email protected]>

* fix support for AWS KMS in asymmetric keys - do not support automation key rotation

* Update assets/queries/terraform/aws/cmk_rotation_disabled/query.rego

Co-authored-by: Rafaela Soares <[email protected]>

Co-authored-by: Rafaela Soares <[email protected]>
  • Loading branch information
@LupovichRan @rafaela-soares
LupovichRan and rafaela-soares authored May 24, 2022
1 parent f4ed3d0 commit b1c5ad2
Show file tree
Hide file tree
Showing 12 changed files with 93 additions and 14 deletions.
38 changes: 33 additions & 5 deletions assets/queries/terraform/aws/cmk_rotation_disabled/query.rego
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@

package Cx

import data.generic.common as common_lib
Expand All @@ -6,7 +7,8 @@ CxPolicy[result] {
resource := input.document[i].resource.aws_kms_key[name]

not key_set_to_false(resource)
not common_lib.valid_key(resource, "enable_key_rotation")
not common_lib.valid_key(resource, "enable_key_rotation")
customer_master_key_spec_set_to_symmetric(resource)

result := {
"documentId": input.document[i].id,
Expand All @@ -17,21 +19,47 @@ CxPolicy[result] {
}
}


CxPolicy[result] {
resource := input.document[i].resource.aws_kms_key[name]

not key_set_to_false(resource)
resource.enable_key_rotation == true
not customer_master_key_spec_set_to_symmetric(resource)

result := {
"documentId": input.document[i].id,
"searchKey": sprintf("aws_kms_key[%s]", [name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("aws_kms_key[%s].enable_key_rotation is set to false", [name]),
"keyActualValue": sprintf("aws_kms_key[%s].enable_key_rotation is true", [name]),
}
}


CxPolicy[result] {
resource := input.document[i].resource.aws_kms_key[name]

not key_set_to_false(resource)
resource.enable_key_rotation == false
resource.enable_key_rotation == false
customer_master_key_spec_set_to_symmetric(resource)

result := {
"documentId": input.document[i].id,
"searchKey": sprintf("aws_kms_key[%s].enable_key_rotation", [name]),
"issueType": "IncorrectValue",
"searchKey": sprintf("aws_kms_key[%s]", [name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("aws_kms_key[%s].enable_key_rotation is set to true", [name]),
"keyActualValue": sprintf("aws_kms_key[%s].enable_key_rotation is set to false", [name]),
"keyActualValue": sprintf("aws_kms_key[%s].enable_key_rotation is false", [name]),
}
}


customer_master_key_spec_set_to_symmetric(resource) {
resource.customer_master_key_spec == "SYMMETRIC_DEFAULT"
} else {
not common_lib.valid_key(resource, "customer_master_key_spec")
}

key_set_to_false(resource) {
resource.is_enabled == false
}
6 changes: 3 additions & 3 deletions assets/queries/terraform/aws/cmk_rotation_disabled/test/negative1.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
resource "aws_kms_key" "a3" {
description = "KMS key 1"
is_enabled = true
resource "aws_kms_key" "negative1" {
description = "KMS key 1"
is_enabled = true
enable_key_rotation = true
}
4 changes: 4 additions & 0 deletions assets/queries/terraform/aws/cmk_rotation_disabled/test/negative2.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
resource "aws_kms_key" "negative2" {
description = "KMS key 2"
customer_master_key_spec = "RSA_4096"
}
4 changes: 4 additions & 0 deletions assets/queries/terraform/aws/cmk_rotation_disabled/test/negative3.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
resource "aws_kms_key" "negative3" {
description = "KMS key 3"
customer_master_key_spec = "RSA_2048"
}
4 changes: 4 additions & 0 deletions assets/queries/terraform/aws/cmk_rotation_disabled/test/negative4.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
resource "aws_kms_key" "negative4" {
description = "KMS key 4"
customer_master_key_spec = "RSA_3072"
}
5 changes: 5 additions & 0 deletions assets/queries/terraform/aws/cmk_rotation_disabled/test/negative5.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
resource "aws_kms_key" "negative5" {
description = "KMS key 5"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true
}
4 changes: 2 additions & 2 deletions assets/queries/terraform/aws/cmk_rotation_disabled/test/positive1.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
resource "aws_kms_key" "a" {
description = "KMS key 1"
resource "aws_kms_key" "positive1" {
description = "KMS key 1"
}
6 changes: 3 additions & 3 deletions assets/queries/terraform/aws/cmk_rotation_disabled/test/positive2.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
resource "aws_kms_key" "a2" {
description = "KMS key 2"
is_enabled = true
resource "aws_kms_key" "positive2" {
description = "KMS key 2"
is_enabled = true
enable_key_rotation = false
}
6 changes: 6 additions & 0 deletions assets/queries/terraform/aws/cmk_rotation_disabled/test/positive3.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
resource "aws_kms_key" "positive3" {
description = "KMS key 3"
is_enabled = true
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = false
}
5 changes: 5 additions & 0 deletions assets/queries/terraform/aws/cmk_rotation_disabled/test/positive4.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
resource "aws_kms_key" "positive4" {
description = "KMS key 4"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = false
}
5 changes: 5 additions & 0 deletions assets/queries/terraform/aws/cmk_rotation_disabled/test/positive5.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
resource "aws_kms_key" "positive5" {
description = "KMS key 5"
customer_master_key_spec = "RSA_2048"
enable_key_rotation = true
}
20 changes: 19 additions & 1 deletion assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,25 @@
{
"queryName": "CMK Rotation Disabled",
"severity": "HIGH",
"line": 4,
"line": 1,
"fileName": "positive2.tf"
},
{
"queryName": "CMK Rotation Disabled",
"severity": "HIGH",
"line": 1,
"fileName": "positive3.tf"
},
{
"queryName": "CMK Rotation Disabled",
"severity": "HIGH",
"line": 1,
"fileName": "positive4.tf"
},
{
"queryName": "CMK Rotation Disabled",
"severity": "HIGH",
"line": 1,
"fileName": "positive5.tf"
}
]

0 comments on commit b1c5ad2

Please sign in to comment.