-
-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Add multi_region
variable for multi-region CMKs
#30
Conversation
@@ -7,6 +7,7 @@ resource "aws_kms_key" "default" { | |||
description = var.description | |||
key_usage = var.key_usage | |||
customer_master_key_spec = var.customer_master_key_spec | |||
multi_region = var.multi_region |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure AWS CMK rotation is enabled
Resource: aws_kms_key.default | ID: BC_AWS_LOGGING_8
How to Fix
resource "aws_kms_key" "kms_key_1" {
...
is_enabled = true
+ enable_key_rotation = true
}
Description
AWS Key Management Service (KMS) allows customers to rotate the backing key. This is where key material is stored within the KMS, and tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys, allowing decryption of encrypted data to take place transparently.We recommend you enable CMK key rotation to help reduce the potential impact of a compromised key. Data encrypted with a new key cannot be accessed with a previous key, that may have been exposed.
Benchmarks
- PCI-DSS V3.2 3
- ISO27001 A.10.1.2
- CIS AWS V1.2 2.8
- PCI-DSS V3.2.1 3.6.4
- FEDRAMP (MODERATE) SC-12
- CIS AWS V1.3 3.8
Path | Resource | Connecting Attribute |
---|---|---|
/main.tf | aws_kms_alias.default | target_key_id |
/test all |
@@ -7,6 +7,7 @@ resource "aws_kms_key" "default" { | |||
description = var.description | |||
key_usage = var.key_usage | |||
customer_master_key_spec = var.customer_master_key_spec | |||
multi_region = var.multi_region |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure AWS CMK rotation is enabled
Resource: aws_kms_key.default | ID: BC_AWS_LOGGING_8
How to Fix
resource "aws_kms_key" "kms_key_1" {
...
is_enabled = true
+ enable_key_rotation = true
}
Description
AWS Key Management Service (KMS) allows customers to rotate the backing key. This is where key material is stored within the KMS, and tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys, allowing decryption of encrypted data to take place transparently.We recommend you enable CMK key rotation to help reduce the potential impact of a compromised key. Data encrypted with a new key cannot be accessed with a previous key, that may have been exposed.
Benchmarks
- PCI-DSS V3.2 3
- ISO27001 A.10.1.2
- CIS AWS V1.2 2.8
- PCI-DSS V3.2.1 3.6.4
- FEDRAMP (MODERATE) SC-12
- CIS AWS V1.3 3.8
Path | Resource | Connecting Attribute |
---|---|---|
/main.tf | aws_kms_alias.default | target_key_id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worried that the provider minimum version needs to be set to allow for multi_region
multi_region
variable for multi-region CMKs
what
why
references