My Saved Presets
You must be logged in to view saved presets

Loading Library ...

Cloudformation Guard Rules for AWS KMS (Key Management Service)

CloudFormation guard rules template for KMS resources

The following rules are included: 

  • Key Rotation Enabled
  • Public Access Disabled

let kms_keys = Resources.*[
	Type == "AWS::KMS::Key"
]

rule kms_rotation when %kms_keys !empty {
	%kms_keys {
		Properties {
			when KeySpec !exists {
				EnableKeyRotation exists <<EnableKeyRotation is not configured (i.e. disabled).>>
				when EnableKeyRotation exists {
					EnableKeyRotation == true <<Key Rotation is disabled.>>
				}
			}
            
			when KeySpec exists {
				when KeySpec == "SYMMETRIC_DEFAULT" {
					EnableKeyRotation exists <<EnableKeyRotation is not configured (i.e. disabled).>>
					when EnableKeyRotation exists {
						EnableKeyRotation == true <<Key Rotation is disabled.>>
					}
				}
			}
		}
	}
}

rule kms_public when %kms_keys !empty {
	%kms_keys {
		Properties {
			KeyPolicy {
				Statement.* {
					Effect == "Deny" OR
					when Effect == "Allow" {
						Principal != "*" <<Key policy allows public access ("AWS":"*")>>
					}
				}
			}
		}
	}
}

Actions



Customize Template

* Required field

© 2024 asecurecloud. All rights reserved.