Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat: Add multi_region variable for multi-region CMKs #30

Merged
merged 4 commits into from
Nov 5, 2021

Conversation

nitrocode
Copy link
Member

@nitrocode nitrocode commented Nov 5, 2021

what

  • Add multi_region

why

  • for keys that need to be used cross region
  • note this change will require 3.64.0 provider going forward

references

@nitrocode nitrocode requested review from a team as code owners November 5, 2021 13:26
@@ -7,6 +7,7 @@ resource "aws_kms_key" "default" {
description = var.description
key_usage = var.key_usage
customer_master_key_spec = var.customer_master_key_spec
multi_region = var.multi_region
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL   Ensure AWS CMK rotation is enabled
    Resource: aws_kms_key.default | ID: BC_AWS_LOGGING_8

How to Fix

resource "aws_kms_key" "kms_key_1" {
  ...
  is_enabled              = true
+ enable_key_rotation    = true
}

Description

AWS Key Management Service (KMS) allows customers to rotate the backing key. This is where key material is stored within the KMS, and tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys, allowing decryption of encrypted data to take place transparently.

We recommend you enable CMK key rotation to help reduce the potential impact of a compromised key. Data encrypted with a new key cannot be accessed with a previous key, that may have been exposed.

Benchmarks

  • PCI-DSS V3.2 3
  • ISO27001 A.10.1.2
  • CIS AWS V1.2 2.8
  • PCI-DSS V3.2.1 3.6.4
  • FEDRAMP (MODERATE) SC-12
  • CIS AWS V1.3 3.8
Dependent Resources

Path Resource Connecting Attribute
/main.tf aws_kms_alias.default target_key_id

@nitrocode
Copy link
Member Author

/test all

@@ -7,6 +7,7 @@ resource "aws_kms_key" "default" {
description = var.description
key_usage = var.key_usage
customer_master_key_spec = var.customer_master_key_spec
multi_region = var.multi_region
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL   Ensure AWS CMK rotation is enabled
    Resource: aws_kms_key.default | ID: BC_AWS_LOGGING_8

How to Fix

resource "aws_kms_key" "kms_key_1" {
  ...
  is_enabled              = true
+ enable_key_rotation    = true
}

Description

AWS Key Management Service (KMS) allows customers to rotate the backing key. This is where key material is stored within the KMS, and tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys, allowing decryption of encrypted data to take place transparently.

We recommend you enable CMK key rotation to help reduce the potential impact of a compromised key. Data encrypted with a new key cannot be accessed with a previous key, that may have been exposed.

Benchmarks

  • PCI-DSS V3.2 3
  • ISO27001 A.10.1.2
  • CIS AWS V1.2 2.8
  • PCI-DSS V3.2.1 3.6.4
  • FEDRAMP (MODERATE) SC-12
  • CIS AWS V1.3 3.8
Dependent Resources

Path Resource Connecting Attribute
/main.tf aws_kms_alias.default target_key_id

Copy link
Member

@korenyoni korenyoni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worried that the provider minimum version needs to be set to allow for multi_region

versions.tf Show resolved Hide resolved
@korenyoni korenyoni added the enhancement New feature or request label Nov 5, 2021
@korenyoni korenyoni changed the title Add multi_region Feat: Add multi_region variable for multi-region CMKs Nov 5, 2021
@nitrocode nitrocode merged commit 191b5da into master Nov 5, 2021
@nitrocode nitrocode deleted the multiregion branch November 5, 2021 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants