Enable rotation on asymmetric keys is imposibile since AWS doesn't support that

[nathanbowang]

IDs

avd-aws-0065

Description

Enable rotation on asymmetric keys is imposibile since AWS doesn't support that.

Reproduction Steps

1. Run scan againest this Terraform resource, and you can see the Trivy complain.

resource "aws_kms_key" "this" {
  key_usage                = "ENCRYPT_DECRYPT"
  deletion_window_in_days  = 7
  customer_master_key_spec = "RSA_2048"
}

MEDIUM: Key does not have rotation enabled.
════════════════════════════════════════════════════════════════════════════════
You should configure your KMS keys to auto rotate to maintain security and defend against compromise.

See https://avd.aquasec.com/misconfig/avd-aws-0065
────────────────────────────────────────────────────────────────────────────────
modules/kms/main.tf:1-11
────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_kms_key" "keystore" {
2 │ count = 3
3 │ description = "Bootstrap sample key service key"
4 │ key_usage = "ENCRYPT_DECRYPT"
5 │ deletion_window_in_days = 7
6 │ customer_master_key_spec = "RSA_2048"
7 │
8 │ tags = {
9 └ application = "jwks"
..
────────────────────────────────────────────────────────────────────────────────

2. Now enable rotation and run terraform apply, you will see the AWS error

resource "aws_kms_key" "this" {
  key_usage                = "ENCRYPT_DECRYPT"
  deletion_window_in_days  = 7
  customer_master_key_spec = "RSA_2048"
  enable_key_rotation      = true
}

│ Error: creating KMS Key (ec1b39a1-07f3-4aa6-acc1-d1d0275828b4): key rotation: UnsupportedOperationException:
│
│ with aws_kms_key.this,
│ on main.tf line 1, in resource "aws_kms_key" "this":
│ 1: resource "aws_kms_key" "this" {
│

Target

Filesystem

Scanner

Misconfiguration

Target OS

No response

Debug Output

root@6e8b3f257d20:/terraform$ scripts/terraform.local.scan.sh 

cd /terraform/modules/kms
#trivy fs --scanners vuln,config,secret \
trivy fs --scanners config --debug \
  --severity CRITICAL,HIGH,MEDIUM \
  --skip-dirs .terraform \
  --skip-dirs local \
  --skip-dirs local_modules \
  --skip-dirs modules/local-mocks \
  ./
2023-08-04T04:47:51.326Z	DEBUG	Severities: ["CRITICAL" "HIGH" "MEDIUM"]
2023-08-04T04:47:51.333Z	DEBUG	cache dir:  /root/.cache/trivy
2023-08-04T04:47:51.333Z	INFO	Misconfiguration scanning is enabled
2023-08-04T04:47:51.333Z	DEBUG	Policies successfully loaded from disk
2023-08-04T04:47:51.361Z	DEBUG	Walk the file tree rooted at '.' in parallel
2023-08-04T04:47:51.361Z	DEBUG	Scanning Terraform files for misconfigurations...
2023-08-04T04:47:52.449Z	DEBUG	OS is not detected.
2023-08-04T04:47:52.449Z	INFO	Detected config files: 2
2023-08-04T04:47:52.449Z	DEBUG	Scanned config file: .
2023-08-04T04:47:52.449Z	DEBUG	Scanned config file: main.tf

main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (MEDIUM: 3, HIGH: 0, CRITICAL: 0)

MEDIUM: Key does not have rotation enabled.
════════════════════════════════════════════════════════════════════════════════
You should configure your KMS keys to auto rotate to maintain security and defend against compromise.

See https://avd.aquasec.com/misconfig/avd-aws-0065
────────────────────────────────────────────────────────────────────────────────
 main.tf:1-11
────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_kms_key" "keystore" {
   2 │   count                    = 3
   3 │   description              = "Bootstrap sample key service key"
   4 │   key_usage                = "ENCRYPT_DECRYPT"
   5 │   deletion_window_in_days  = 7
   6 │   customer_master_key_spec = "RSA_2048"
   7 │ 
   8 │   tags = {
   9 └     application = "jwks"
  ..   
────────────────────────────────────────────────────────────────────────────────


MEDIUM: Key does not have rotation enabled.
════════════════════════════════════════════════════════════════════════════════
You should configure your KMS keys to auto rotate to maintain security and defend against compromise.

See https://avd.aquasec.com/misconfig/avd-aws-0065
────────────────────────────────────────────────────────────────────────────────
 main.tf:1-11
────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_kms_key" "keystore" {
   2 │   count                    = 3
   3 │   description              = "Bootstrap sample key service key"
   4 │   key_usage                = "ENCRYPT_DECRYPT"
   5 │   deletion_window_in_days  = 7
   6 │   customer_master_key_spec = "RSA_2048"
   7 │ 
   8 │   tags = {
   9 └     application = "jwks"
  ..   
────────────────────────────────────────────────────────────────────────────────


MEDIUM: Key does not have rotation enabled.
════════════════════════════════════════════════════════════════════════════════
You should configure your KMS keys to auto rotate to maintain security and defend against compromise.

See https://avd.aquasec.com/misconfig/avd-aws-0065
────────────────────────────────────────────────────────────────────────────────
 main.tf:1-11
────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_kms_key" "keystore" {
   2 │   count                    = 3
   3 │   description              = "Bootstrap sample key service key"
   4 │   key_usage                = "ENCRYPT_DECRYPT"
   5 │   deletion_window_in_days  = 7
   6 │   customer_master_key_spec = "RSA_2048"
   7 │ 
   8 │   tags = {
   9 └     application = "jwks"
  ..   
────────────────────────────────────────────────────────────────────────────────

Version

root@6e8b3f257d20:/terraform$ trivy -v
Version: 0.42.1
Policy Bundle:
  Digest: sha256:acf1cb62a4ade75773ec3d265cc4d90160d285bbacaa7b6947a34830c1e45c5c
  DownloadedAt: 2023-08-04 04:40:31.384947059 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

I guess this is an edge case where rotation is supported, but only on symmetric keys. https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKeyRotation.html

Today by default if you don't specify the customer_master_key_spec it assumes it to be symmetric key as described here https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#customer_master_key_spec

We can make this check a little smarter where we only flag it, if the key is symmetric and not enabled for rotation. For that to work take place we will need to check the customer_master_key_spec field to be set. It is an optional field so we can't assume it will always be set.