From a9ededd0bff64e0f6441038c564d425f514074cf Mon Sep 17 00:00:00 2001 From: Matt Warner Date: Tue, 6 Jul 2021 14:20:28 -0700 Subject: [PATCH] Correct KMS window deletion module --- .../opa/rego/aws/aws_kms_key/AWS.KMS.Logging.High.0400.json | 4 ++-- .../opa/rego/aws/aws_kms_key/kmsKeyNoDeletionWindow.rego | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/policies/opa/rego/aws/aws_kms_key/AWS.KMS.Logging.High.0400.json b/pkg/policies/opa/rego/aws/aws_kms_key/AWS.KMS.Logging.High.0400.json index 5ab8ae172..d100ea2c8 100755 --- a/pkg/policies/opa/rego/aws/aws_kms_key/AWS.KMS.Logging.High.0400.json +++ b/pkg/policies/opa/rego/aws/aws_kms_key/AWS.KMS.Logging.High.0400.json @@ -7,9 +7,9 @@ "prefix": "" }, "severity": "HIGH", - "description": "Ensure rotation for customer created CMKs is enabled", + "description": "Ensure KMS key deletion window is set for deleted keys", "reference_id": "AWS.KMS.Logging.High.0400", "category": "Security Best Practices", "version": 2, "id": "AC_AWS_0161" -} \ No newline at end of file +} diff --git a/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDeletionWindow.rego b/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDeletionWindow.rego index 0af0099a3..3d29ad9f6 100755 --- a/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDeletionWindow.rego +++ b/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDeletionWindow.rego @@ -2,7 +2,7 @@ package accurics {{.prefix}}kmsKeyNoDeletionWindow[retVal] { kms_key = input.aws_kms_key[_] - kms_key.config.is_enabled == true + kms_key.config.is_enabled == false kms_key.config.enable_key_rotation == true invalid_window_in_days(kms_key.config.deletion_window_in_days) == true traverse = "deletion_window_in_days" @@ -16,4 +16,4 @@ invalid_window_in_days(days) = true { invalid_window_in_days(days) = true { days != null days > 90 -} \ No newline at end of file +}