Ignore KMS keys that are pending deletion in rotation check

[yorinasub17]

Benchmark where identified

• CIS v1.4.0

Description

This updates the KMS CMK rotation enabled query to skip any KMS keys that are in the Pending Deletion state. These keys are marked for deletion, and thus it doesn't matter if rotation is enabled or not, so best to skip them to keep the report clean.

If the key is ever restored and put out of pending deletion, then the state will change and should show up in the report the next time it runs.

Sample output

(data has been sanitized to mask real IDs)

| + 3.8 Ensure rotation for customer created CMKs is enabled ............................................................................ 0 /   6 [=         ]
| | |
| | OK   : KEY_ID key rotation enabled. ................................................................. us-east-1 000000000000
| | OK   : KEY_ID key rotation enabled. ................................................................. us-east-1 000000000000
| | OK   : KEY_ID key rotation enabled. ................................................................. us-east-1 000000000000
| | SKIP : KEY_ID is pending deletion. .................................................................. us-east-1 000000000000
| | SKIP : KEY_ID is pending deletion. .................................................................. us-east-1 000000000000
| | SKIP : KEY_ID is pending deletion. .................................................................. us-east-1 000000000000
|

[misraved]

Thanks @yorinasub17 for such detailed insight 👍 .

Apart from checking if the key is in PendingDeletion state, I think we could also add a check if the key is in Disabled state or not, since we cannot set rotation for disabled keys.

Relevant AWS docs - https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

[yorinasub17]

Apart from checking if the key is in PendingDeletion state, I think we could also add a check if the key is in Disabled state or not, since we cannot set rotation for disabled keys.

Good point. Updated to also check for disabled keys: 8c53ca0

Here is sample output on the new version:

| + 3.8 Ensure rotation for customer created CMKs is enabled ...........................................................................  0 /   7 [=         ]
| | |
| | OK   : KEY_ID key rotation enabled. ................................................................. us-east-1 000000000000
| | OK   : KEY_ID key rotation enabled. ................................................................. us-east-1 000000000000
| | OK   : KEY_ID key rotation enabled. ................................................................. us-east-1 000000000000
| | SKIP : KEY_ID is pending deletion. .................................................................. us-east-1 000000000000
| | SKIP : KEY_ID is pending deletion. .................................................................. us-east-1 000000000000
| | SKIP : KEY_ID is disabled. .......................................................................... us-east-1 000000000000
| | SKIP : KEY_ID is pending deletion. .................................................................. us-east-1 000000000000

[misraved]

I am extremely sorry @yorinasub17 for closing the PR since we released a new version v0.40 of the compliance mod.

Could you please raise the PR again? Sorry for the inconvenience 😢 .

[yorinasub17]

No problem! Just opened #466

[misraved]

Thanks a lot @yorinasub17 👍.