[REVIEW] key-management: add KMS grant sprawl and rotation drift gates
Skill Being Reviewed
Skill name: key-management
Skill path: skills/cloud-security/key-management/
False Positive Analysis
The skill should not treat every active KMS grant or older key as a violation. Long-lived keys and grants can be valid for envelope encryption, legacy decrypt windows, migration cutovers, and managed-service integrations when ownership, scope, rotation plan, and last-use evidence are documented.
Benign example:
key=prod-orders-kms
rotation=enabled
active_grant=analytics-export-role
operations=Decrypt only
constraints=encryptionContextEquals app=orders
last_used=2026-07-10
owner=data-platform
expiry=2026-08-01
That is controlled temporary access, not grant sprawl by itself.
Coverage Gaps
A key-management review can miss real exposure if it checks only whether rotation is enabled and ignores grant drift.
Missed variant 1: a migration role keeps Decrypt access after the cutover, so stale workloads can still read protected data.
Missed variant 2: key rotation is enabled, but dependent grants and aliases still route old principals into new key material without reapproval.
Missed variant 3: service-managed grants are accepted blindly even when they cover wildcard operations or missing encryption-context constraints.
Edge Cases
- KMS aliases can hide which backing key is actually used by an application.
- Grant tokens and eventual consistency can make newly revoked grants appear active during short windows.
- Cross-account grants need both source and target account ownership evidence.
Remediation Quality
- Add gates for grant inventory, principal ownership, allowed operation scope, encryption-context constraints, last-use timestamp, expiry, and rotation impact review.
- Require stale-grant cleanup evidence after migrations and incident response exceptions.
- Require cross-account grant attestation from both sides before accepting residual decrypt access.
Comparison to Other Tools
Cloud posture scanners usually catch missing rotation or public policies, but they often understate grant-level drift. KMS API inventory, CloudTrail decrypt/use events, IaC policy review, and owner attestation give stronger evidence.
Overall Assessment
The key-management skill should include KMS grant sprawl and rotation drift because keys can look compliant while stale grants keep sensitive decrypt paths alive. These gates make reviews catch privilege residue without falsely rejecting documented migration windows.
Bounty Info
[REVIEW] key-management: add KMS grant sprawl and rotation drift gates
Skill Being Reviewed
Skill name:
key-managementSkill path:
skills/cloud-security/key-management/False Positive Analysis
The skill should not treat every active KMS grant or older key as a violation. Long-lived keys and grants can be valid for envelope encryption, legacy decrypt windows, migration cutovers, and managed-service integrations when ownership, scope, rotation plan, and last-use evidence are documented.
Benign example:
That is controlled temporary access, not grant sprawl by itself.
Coverage Gaps
A key-management review can miss real exposure if it checks only whether rotation is enabled and ignores grant drift.
Missed variant 1: a migration role keeps
Decryptaccess after the cutover, so stale workloads can still read protected data.Missed variant 2: key rotation is enabled, but dependent grants and aliases still route old principals into new key material without reapproval.
Missed variant 3: service-managed grants are accepted blindly even when they cover wildcard operations or missing encryption-context constraints.
Edge Cases
Remediation Quality
Comparison to Other Tools
Cloud posture scanners usually catch missing rotation or public policies, but they often understate grant-level drift. KMS API inventory, CloudTrail decrypt/use events, IaC policy review, and owner attestation give stronger evidence.
Overall Assessment
The key-management skill should include KMS grant sprawl and rotation drift because keys can look compliant while stale grants keep sensitive decrypt paths alive. These gates make reviews catch privilege residue without falsely rejecting documented migration windows.
Bounty Info
CONTRIBUTING.mdbounty terms.samik4184@gmail.com$25if accepted