Correct KMS window deletion module

tenable · Jul 6, 2021 · a9ededd · a9ededd
1 parent 80c00e0
commit a9ededd
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/pkg/policies/opa/rego/aws/aws_kms_key/AWS.KMS.Logging.High.0400.json b/pkg/policies/opa/rego/aws/aws_kms_key/AWS.KMS.Logging.High.0400.json
@@ -7,9 +7,9 @@
         "prefix": ""
     },
     "severity": "HIGH",
-    "description": "Ensure rotation for customer created CMKs is enabled",
+    "description": "Ensure KMS key deletion window is set for deleted keys",
     "reference_id": "AWS.KMS.Logging.High.0400",
     "category": "Security Best Practices",
     "version": 2,
     "id": "AC_AWS_0161"
-}
+}
diff --git a/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDeletionWindow.rego b/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDeletionWindow.rego
@@ -2,7 +2,7 @@ package accurics
 
 {{.prefix}}kmsKeyNoDeletionWindow[retVal] {
     kms_key = input.aws_kms_key[_]
-    kms_key.config.is_enabled == true
+    kms_key.config.is_enabled == false
     kms_key.config.enable_key_rotation == true
     invalid_window_in_days(kms_key.config.deletion_window_in_days) == true
     traverse = "deletion_window_in_days"
@@ -16,4 +16,4 @@ invalid_window_in_days(days) = true {
 invalid_window_in_days(days) = true {
     days != null
     days > 90
-}
+}