Fluid Attacks Database

Description

Detects AWS KMS keys that have automatic key rotation disabled or not configured in Terraform. When key rotation is disabled, the same cryptographic material is used indefinitely, which violates security best practices and increases the risk of key compromise over time.

Weakness:

396 - Insecure service configuration - KMS

Category: Functionality Abuse

Detection Strategy

• Identifies Terraform resource blocks of type 'aws_kms_key'

• Checks if the 'enable_key_rotation' attribute is either missing or explicitly set to false

• Reports a vulnerability when an AWS KMS key is found without enabled key rotation

Vulnerable code example

resource "aws_kms_key" "example" {
  description              = "Vulnerable KMS Key"  # Key rotation not enabled - security risk
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  deletion_window_in_days  = 10
  # Missing or false enable_key_rotation creates security vulnerability
}

✅ Secure code example

resource "aws_kms_key" "example" {
  description              = "Secure KMS Key"
  customer_master_key_spec = "SYMMETRIC_DEFAULT"
  deletion_window_in_days  = 10
  enable_key_rotation      = true  # Enable automatic key rotation for enhanced security
  multi_region            = false  # Explicitly disable multi-region to prevent unintended key replication
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.