diff --git a/rules/S6401/ask-yourself.adoc b/rules/S6401/ask-yourself.adoc new file mode 100644 index 0000000000..98c8191f55 --- /dev/null +++ b/rules/S6401/ask-yourself.adoc @@ -0,0 +1,4 @@ +== Ask Yourself Whether + +* The cryptographic key is a symmetric key. +* The application requires compliance with some security standards like PCI-DSS. \ No newline at end of file diff --git a/rules/S6401/description.adoc b/rules/S6401/description.adoc new file mode 100644 index 0000000000..6587e8c2d4 --- /dev/null +++ b/rules/S6401/description.adoc @@ -0,0 +1 @@ +The likelihood of security incidents increases when cryptographic keys are used for a long time. Thus, to strengthen the data protection it's recommended to rotate the symmetric keys created with the Google Cloud Key Management Service (KMS) automatically and periodically. Note that it's not possible in GCP KMS to rotate asymmetric keys automatically. \ No newline at end of file diff --git a/rules/S6401/message.adoc b/rules/S6401/message.adoc new file mode 100644 index 0000000000..dba863dd3f --- /dev/null +++ b/rules/S6401/message.adoc @@ -0,0 +1,3 @@ +=== Message + +Make sure creating a key without a rotation period is safe here. diff --git a/rules/S6401/metadata.json b/rules/S6401/metadata.json new file mode 100644 index 0000000000..613802c9b7 --- /dev/null +++ b/rules/S6401/metadata.json @@ -0,0 +1,29 @@ +{ + "title": "Creating keys without a rotation period is security-sensitive", + "type": "SECURITY_HOTSPOT", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "gcp" + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-6401", + "sqKey": "S6401", + "scope": "All", + "securityStandards": { + "OWASP": [ + "A6" + ], + "OWASP Top 10 2021": [ + "A2" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" + } + \ No newline at end of file diff --git a/rules/S6401/recommended.adoc b/rules/S6401/recommended.adoc new file mode 100644 index 0000000000..ed37511e8d --- /dev/null +++ b/rules/S6401/recommended.adoc @@ -0,0 +1,3 @@ +== Recommended Secure Coding Practices + +It's recommended to rotate keys automatically and regularly. The shorter the key period, the less data can be decrypted by an attacker if a key is compromised. So the key rotation period usually depends on the amount of data encrypted with a key or other requirements such as compliance with security standards. In general, a period of time of 90 days can be used. \ No newline at end of file diff --git a/rules/S6401/see.adoc b/rules/S6401/see.adoc new file mode 100644 index 0000000000..14279514c1 --- /dev/null +++ b/rules/S6401/see.adoc @@ -0,0 +1,5 @@ +== See + +* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures +* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration +* https://cloud.google.com/kms/docs/key-rotation[GCP Documentation] - KMS Key rotation \ No newline at end of file diff --git a/rules/S6401/terraform/metadata.json b/rules/S6401/terraform/metadata.json new file mode 100644 index 0000000000..2c63c08510 --- /dev/null +++ b/rules/S6401/terraform/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6401/terraform/rule.adoc b/rules/S6401/terraform/rule.adoc new file mode 100644 index 0000000000..5f72e6eb7e --- /dev/null +++ b/rules/S6401/terraform/rule.adoc @@ -0,0 +1,36 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example +[source,terraform] +---- +resource "google_kms_crypto_key" "noncompliant-key" { # Sensitive: a rotation period is not defined + name = "crypto-key-compliant" + key_ring = google_kms_key_ring.keyring.id" +} +---- + +== Compliant Solution +[source,terraform] +---- +resource "google_kms_crypto_key" "compliant-key" { + name = "crypto-key-compliant" + key_ring = google_kms_key_ring.keyring.id + rotation_period = "7776000s" # 90 days +} +---- + +include::../see.adoc[] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + +endif::env-github,rspecator-view[]