Json Yaml Key Rotation Disabled
Description
Detects AWS KMS keys defined in CloudFormation templates that have automatic key rotation disabled or not configured. Key rotation is a critical security practice that limits the exposure window if cryptographic keys are compromised.
Detection Strategy
• Identifies CloudFormation resources of type 'AWS::KMS::Key'
• Checks if the EnableKeyRotation property is either missing or explicitly set to false
• Reports a vulnerability for each KMS key that does not have key rotation enabled
Vulnerable code example
Resources:
unsafeKey:
Type: AWS::KMS::Key
Properties:
Description: Vulnerable KMS key example
MultiRegion: true
EnableKeyRotation: false # Security vulnerability: Key rotation should be enabled
KeySpec: SYMMETRIC_DEFAULT...✅ Secure code example
Resources:
safeKey:
Type: AWS::KMS::Key
Properties:
Description: Secure KMS key example
MultiRegion: true
EnableKeyRotation: true # Enable automatic key rotation for better security
KeySpec: SYMMETRIC_DEFAULT...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.