Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
3Dashboards
133Benchmarks
43Queries
2Variables
GitHub

Control: 4.16 Ensure customer created Customer Managed Key (CMK) is rotated at least annually

Description

Oracle Cloud Infrastructure Vault securely stores master encryption keys that protect your your encrypted data. You can use the Vault service to rotate keys to generate new cryptographic material. Periodically rotating keys limits the amount of data encrypted by one key version.

Rotating keys annually limits the data encrypted under one key version. Key rotation thereby reduces the risk in case a key is ever compromised.

Remediation

From Console

  1. Login to OCI Console.
  2. Select Identity & Security from the Services menu.
  3. Select Vault.
  4. Click on the individual Vault under the Name heading.
  5. Click on the menu next to the time created.
  6. Click Rotate Key.

From CLI

  1. Execute the following:
oci kms management key rotate --key-id <target_key_id> --endpoint <control_plane_url>

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_4_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_4_16 --share

SQL

This control uses a named query:

with active_key_table as (
  select
    k.name as key_name,
    k.id,
    k.compartment_id,
    k.vault_name,
    k.lifecycle_state,
    k._ctx,
    k.tenant_id,
    k.tenant_name,
    k.region,
    k.tags,
    max(v.time_created) as last_version_created_date
  from
    oci_kms_key k,
    oci_kms_key_version v
  where
    v.key_id = k.id
    and v.management_endpoint = k.management_endpoint
    and v.region = k.region
  group by
    key_name, k.region, k.id, k.vault_name, k.lifecycle_state, k.tenant_id, k._ctx, k.compartment_id, k.tenant_name, k.tags
)
select
  a.id as resource,
  case
    when a.lifecycle_state != 'ENABLED' then 'skip'
    when last_version_created_date <= (current_date - interval '365' day) then 'alarm'
  else 'ok'
  end as status,
  case
    when a.lifecycle_state = 'PENDING_DELETION' then a.key_name || ' in ' || a.vault_name || ' vault scheduled for deletion.'
    when a.lifecycle_state != 'ENABLED' then a.key_name || ' of ' || a.vault_name || ' in ' || lower(a.lifecycle_state) || ' state.'
    when last_version_created_date <= (current_date - interval '365' day)
    then a.key_name || ' in ' || a.vault_name || ' vault not rotated since ' || (date(current_timestamp) - date(last_version_created_date)) || ' days.'
    else a.key_name || ' in ' || a.vault_name || ' vault last rotation age ' || (date(current_timestamp) - date(last_version_created_date)) || ' days.'
  end as reason
  
  , a.region as region, a.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  active_key_table a
  left join oci_identity_compartment c on c.id = a.compartment_id;

Tags

category = Compliance
cis = true
cis_item_id = 4.16
cis_level = 1
cis_section_id = 4
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/KMS