The detection with weak evidence: AVD-AWS-0132 AWS > S3 > Encryption Customer Key

[yukihiko-shinoda]

Description

I can't understand why Trivy detects AVD-AWS-0132 as severity: HIGH.
Is Trivy's missconfiguration designing and focusing in not science and security but business and contractual risk?

AWS insists that AWS managed key is safe enough and use customer key if your business or contract rule requests:
Why rotate KMS keys? | Rotate AWS KMS keys - AWS Key Management Service

you might be required to rotate your KMS keys due to business or contract rules or government regulations

Link

• Encryption Customer Key | Vulnerability Database | Aqua Security
• S3 encryption should use Customer Managed Keys - tfsec
• Why rotate KMS keys? | Rotate AWS KMS keys - AWS Key Management Service
• AWS KMS keys - AWS Key Management Service
• Load balancer is exposed to the internet. - tfsec

Suggestions

• If severity is not appropriate, please update it.
• If Trivy insists that AWS managed key has scientifical and security risk, Trivy should concretely point out what is the risk.
  At least, I don't want to prepare for a threat that is unknown even whether it exists.
• If Trivy is pointing out business or contractual risk, please update recommended actions to let user ensure that your business or contract doesn't have regulation for controling encryption
  • Like the documentation in tfsec era:
    Load balancer is exposed to the internet. - tfsec

[simar7]

hello @yukihiko-shinoda - I think you've pointed it out correctly as to why KMS keys require rotation. Trivy's checks are also part of the commercial product and are also used in environments where regulations and compliance might be stricter than OSS. Please feel free to submit a PR to improve the docs if you still don't see it fit. Thank you.