[datagov-ssb] KMS key does not have key rotation enabled

[nickumia-reisys]

Please keep any sensitive details in Google Drive.

Date of report: 12/6/2022
Severity: Low
Due date: 03/06/2022

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

• Analysis has been performed and an issue has been linked to address other occurrences for this class of vulnerability* (link)

* When a finding is identified, we create two issues. One to address the specific instance identified in the report. The other is to identify and address all other occurrences of this vulnerability within the application.

Snyk Link

Detailed paths

Introduced through: input › resource › aws_kms_key[zone] › enable_key_rotation

This issue is...

• That your encryption keys are not being rotated by AWS

The impact of this is...

• That data is being encrypted with a key which is valid for a longer period of time, resulting in a greater exposure window should that key be leaked

You can resolve it by...

• Set enable_key_rotation attribute to true

[nickumia-reisys]

@mogul Do you think enabling key rotation would negatively impact the function of the SSB in any way? My guess would be no, but I'm not sure.

[mogul]

I don't believe so, no.

[nickumia-reisys]

Okay, I'll try to implement it and make sure there's no funny business like keys being recreated in a way that would cause problems. Thanks for the quick response! @mogul