CloudFormation guard rules template for KMS resources

The following rules are included: 

  • Key Rotation Enabled
  • Public Access Disabled

let kms_keys = Resources.*[
	Type == "AWS::KMS::Key"
]

rule kms_rotation when %kms_keys !empty {
	%kms_keys {
		Properties {
			when KeySpec !exists {
				EnableKeyRotation exists <<EnableKeyRotation is not configured (i.e. disabled).>>
				when EnableKeyRotation exists {
					EnableKeyRotation == true <<Key Rotation is disabled.>>
				}
			}
            
			when KeySpec exists {
				when KeySpec == "SYMMETRIC_DEFAULT" {
					EnableKeyRotation exists <<EnableKeyRotation is not configured (i.e. disabled).>>
					when EnableKeyRotation exists {
						EnableKeyRotation == true <<Key Rotation is disabled.>>
					}
				}
			}
		}
	}
}

rule kms_public when %kms_keys !empty {
	%kms_keys {
		Properties {
			KeyPolicy {
				Statement.* {
					Effect == "Deny" OR
					when Effect == "Allow" {
						Principal != "*" <<Key policy allows public access ("AWS":"*")>>
					}
				}
			}
		}
	}
}


Actions



Customize Template

* Required field