Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Module AWS.KMS.Logging.High.0400 seems to serve no purpose #917

Closed
matt-slalom opened this issue Jul 6, 2021 · 1 comment · Fixed by #918
Closed

Module AWS.KMS.Logging.High.0400 seems to serve no purpose #917

matt-slalom opened this issue Jul 6, 2021 · 1 comment · Fixed by #918
Labels
policy Issue concerning policy maintainers.

Comments

@matt-slalom
Copy link
Contributor

matt-slalom commented Jul 6, 2021
edited
Loading

  • terrascan version: 1.8.0

Description

I noticed that in scans of code that include KMS keys that the module AWS.KMS.Logging.High.0400 triggers. The description for this module reads, "Ensure rotation for customer created CMKs is enabled," but it points to kmsKeyNoDeletionWindow.rego which actually checks for the key deletion window (not rotation).

This looks like a copy/paste error since this same description is in AWS.AKK.DP.HIGH.0012.

Looking at it more closely, AWS.KMS.Logging.High.0400 seems to serve no purpose in AWS since keys cannot set deletion_window_in_days until they are scheduled for deletion. Similarly, deletion_window_in_days cannot be set higher than 30, and AWS sets a default value is none is explicitly set.

That makes me think this entire module can be deleted. Unless perhaps it's trying to check for something I'm not understanding? Either way, the module seems to be broken. I'm happy to assist in fixing it, but right now its purpose is unclear.

I plan to submit a PR that deletes this module, unless someone can tell me it's actually needed.
@matt-slalom matt-slalom mentioned this issue Jul 6, 2021
Merged
@matt-slalom
Copy link
Contributor Author

Submitted PR #918

@gaurav-gogia gaurav-gogia added the policy Issue concerning policy maintainers. label Jul 7, 2021
@gaurav-gogia gaurav-gogia linked a pull request Jul 7, 2021 that will close this issue
Remove unnecessary KMS deletion window code #918
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
policy Issue concerning policy maintainers.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove unnecessary KMS deletion window code matt-slalom/terrascan
2 participants
@gaurav-gogia @matt-slalom