Product logo
DocsBlogPricing

@turbot/aws-kms

The aws-kms mod contains resource, control and policy definitions for AWS KMS service.

Version
5.18.0
Released On
Mar 29, 2024
Depends On

Resource Types

Control Types

Policy Types

Release Notes

5.18.0 (2024-03-29)

What's new?

  • Users can now disable unapproved Keys in AWS. To get started, set the AWS > KMS > Key > Approved policy to Enforce: Disable unapproved.

Action Types

  • AWS > KMS > Key > Disable

5.17.1 (2024-03-27)

Bug fixes

  • In v5.13.0, we introduced the policy value Enforce: Enabled but ignore permission errors for the AWS > KMS > Key > CMDB policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors inadvertently introduced a bug, resulting in the removal of the EventBridge rule for KMS by the Event Handlers. This issue has now been fixed.

5.17.0 (2023-10-30)

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

5.16.1 (2023-09-07)

Bug fixes

  • A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.

5.16.0 (2023-05-31)

What's new?

  • Resource's metadata will now also include createdBy details in Guardrails CMDB.

5.15.2 (2022-09-28)

Bug fixes

  • The AWS > KMS > Key > Rotation control would incorrectly remain in an alarm state when key rotation was enforced on multi-region replica keys. This is fixed and the control will now move to a skipped state for such keys.

5.15.1 (2022-07-13)

Bug fixes

  • The lambda functions for certain controls/actions would re-run unnecessarily whenever the mod version was updated. This has now been fixed.

5.15.0 (2022-07-12)

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Guardrails alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.

Action Types

  • AWS > KMS > Key > Delete from AWS
  • AWS > KMS > Key > Set Tags
  • AWS > KMS > Key > Skip alarm for Active control
  • AWS > KMS > Key > Skip alarm for Active control [90 days]
  • AWS > KMS > Key > Skip alarm for Approved control
  • AWS > KMS > Key > Skip alarm for Approved control [90 days]
  • AWS > KMS > Key > Skip alarm for Tags control
  • AWS > KMS > Key > Skip alarm for Tags control [90 days]

5.14.0 (2022-04-25)

What's new?

  • README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

Bug fixes

  • Lambda functions for controls/actions would sometimes error out due to Guardrails adding the user agent field incorrectly for repeated lambda runs. This is now fixed.

5.13.0 (2022-03-16)

What's new?

  • The AWS > KMS > Key > CMDB control would go into an error state if Guardrails did not have permissions to describe a Key. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > KMS > Key > CMDB policy to Enforce: Enabled but ignore permission errors. Please note that for such cases, any Key control dependent on the CMDB data will be set to a skipped state if the attributes required to evaluate the control is not available in the CMDB.

Bug fixes

  • We've improved the process of deleting resources from Guardrails if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Guardrails' IAM role while deleting resources from Guardrails. This will allow the CMDB controls to process resource deletions from Guardrails more reliably than before.

5.12.0 (2022-01-19)

What's new?

  • Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Policy Types

  • AWS > KMS > Key > Approved > Custom

5.11.0 (2022-01-06)

What's new?

  • AWS/KMS/Admin AWS/KMS/Metadata AWS/KMS/Operator now include permissions for Custom Key Store and Data Key Pair.

5.10.0 (2021-07-28)

What's new?

  • The AWS > Turbot > Encryption > Terraform Version policy will now be set to 0.15.* by default for workspaces on TE v5.37.7 or higher. For workspaces on TE versions lower than 5.37.7, the policy will remain set to 0.11.* by default.

5.9.0 (2021-07-09)

What's new?

  • We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

Bug fixes

  • Keys deleted after their scheduled deletion period were not cleaned up automatically in Guardrails. This is now fixed.

The AWS > KMS > Key > Rotation control will now be skipped for keys in PendingDeletion state.

5.8.1 (2021-05-13)

Bug fixes

  • We've updated the EventBridge rule for KMS to filter out a few real-time events like kms:CreateGrant and kms:RetireGrant to reduce unnecessary noise caused by the processing of such events in Guardrails.

Policy Types

Renamed

  • AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > KMS to AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-kms

5.8.0 (2021-02-26)

What's new?

  • Users now can manage key policy statements via the AWS > KMS > Key > Policy Statements > Approved control. To get started, set the AWS > KMS > Key > Policy Statements > Approved policy and add OCL rules to the AWS > KMS > Key > Policy Statements > Approved > Rules policy to identify approved and rejected key policy statements.

Control Types

  • AWS > KMS > Key > Policy Statements
  • AWS > KMS > Key > Policy Statements > Approved

Policy Types

  • AWS > KMS > Key > Policy Statements
  • AWS > KMS > Key > Policy Statements > Approved
  • AWS > KMS > Key > Policy Statements > Approved > Rules

Action Types

  • AWS > KMS > Key > Update Key Policy Statements

5.7.0 (2021-02-22)

What's new?

  • We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.6.1 (2020-12-21)

Bug fixes

  • Controls run faster now when in the tbd and skipped states thanks to the new Guardrails Precheck feature (not to be confused with TSA PreCheck). With Guardrails Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.
  • The AWS > KMS > Key > CMDB control would go into an error state showing UnsupportedOperationException for external symmetric AWS customer managed keys in Pending import state. This is now fixed.

5.6.0 (2020-12-10)

Bug fixes

  • The AWS > Turbot > Encryption stack control failed to create Guardrails managed keys in gov cloud regions. This issue has now been fixed.

Policy Types

  • AWS > KMS > Key > Approved > Customer Master Key Spec

5.5.1 (2020-10-12)

Bug fixes

  • The AWS > KMS > Key > Rotation control would go into an error state due to a mishandled code snippet. This is now fixed and the AWS > KMS > Key > Rotation control should work smoothly.

5.5.0 (2020-10-09)

What's new?

  • We've made improvements to how Active controls interact with CMDB policies and controls for more reliable active checks. Now, if a resource's CMDB policy is set to Skip, its Active control will move to invalid to prevent the Active control from making a decision based on outdated information. Also, Active controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.

5.4.0 (2020-09-04)

What's new?

  • We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.

Bug fixes

  • Policy field for key resources is now properly and consistently sorted.

Policy Types

Renamed

  • AWS > KMS > Regions [Default] to AWS > KMS > Regions

5.3.0 (2020-08-13)

Bug fixes

  • In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.

Policy Types

  • AWS > Turbot > Encryption > Terraform Version

5.2.4 (2020-07-07)

Bug fixes

  • Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Guardrails is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.

5.2.3 (2020-06-04)

Bug fixes

  • In 5.2.0, the key's KeyArn property was accidentally removed, which broke various Encryption at Rest controls in other AWS mods, as they relied on this property to check if the correct key was being used. This property has been added back and Encryption at Rest controls now work again with KMS keys.

5.2.2 (2020-05-29)

Policy Types

Renamed

  • AWS > KMS > Key > Configured > Precedence to AWS > KMS > Key > Configured > Claim Precedence

5.2.1 (2020-05-14)

Bug fixes

  • The AWS > KMS > Key > CMDB control was not properly handling access denied errors when checking the key rotation status and tags for AWS managed keys that block these actions. This has been fixed.

5.2.0 (2020-05-07)

What's new?

  • Updated AWS > KMS > Regions policy default value to now include af-south-1.

Bug fixes

  • The AWS > KMS > Key > Discovery control was not finding all AWS managed keys, e.g., aws/s3, so these keys were not being created in CMDB. This has been fixed and all keys are now accounted for.

Resource Types

  • AWS > KMS > Alias

Control Types

  • AWS > KMS > Alias > Configured
  • AWS > Turbot > Encryption
  • AWS > Turbot > Encryption > KMS

Policy Types

  • AWS > KMS > Alias > Configured
  • AWS > KMS > Alias > Configured > Precedence
  • AWS > KMS > Alias > Configured > Source
  • AWS > KMS > Key > Active > Budget
  • AWS > KMS > Key > Approved > Budget
  • AWS > KMS > Tags Template [Default]
  • AWS > Turbot > Encryption
  • AWS > Turbot > Encryption > KMS
  • AWS > Turbot > Encryption > KMS > Key
  • AWS > Turbot > Encryption > KMS > Key > Alias Name Prefix
  • AWS > Turbot > Encryption > Source

Renamed

  • AWS > KMS > Key > Default Customer Managed Key to AWS > Region > KMS Key [Default]