aws.kms-key

Filters

cross-account

Filter KMS keys which have cross account permissions

example

policies:
  - name: check-kms-key-cross-account
    resource: kms-key
    filters:
      - type: cross-account
properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from: &id001
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from: *id001
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from: *id001
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from: *id001
required:
- type

key-rotation-status

Filters KMS keys by the rotation status

example

policies:
  - name: kms-key-disabled-rotation
    resource: kms-key
    filters:
      - type: key-rotation-status
        key: KeyRotationEnabled
        value: false
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - key-rotation-status
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
required:
- type

Actions

remove-statements

Action to remove policy statements from KMS

example

policies:
   - name: kms-key-cross-account
     resource: kms-key
     filters:
       - type: cross-account
     actions:
       - type: remove-statements
         statement_ids: matched
properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
      - '*'
    - items:
        type: string
      type: array
  type:
    enum:
    - remove-statements
required:
- statement_ids
- type

set-rotation

Toggle KMS key rotation

example

policy:
  - name: enable-cmk-rotation
    resource: kms-key
    filters:
      - type: key-rotation-status
        key: KeyRotationEnabled
        value: False
    actions:
      - type: set-rotation
        state: True
properties:
  state:
    type: boolean
  type:
    enum:
    - set-rotation
required:
- type