Skip to content

[REVIEW] key-management: add KMS grant sprawl and rotation drift gates #3021

Description

@stmr

[REVIEW] key-management: add KMS grant sprawl and rotation drift gates

Skill Being Reviewed

Skill name: key-management
Skill path: skills/cloud-security/key-management/

False Positive Analysis

The skill should not treat every active KMS grant or older key as a violation. Long-lived keys and grants can be valid for envelope encryption, legacy decrypt windows, migration cutovers, and managed-service integrations when ownership, scope, rotation plan, and last-use evidence are documented.

Benign example:

key=prod-orders-kms
rotation=enabled
active_grant=analytics-export-role
operations=Decrypt only
constraints=encryptionContextEquals app=orders
last_used=2026-07-10
owner=data-platform
expiry=2026-08-01

That is controlled temporary access, not grant sprawl by itself.

Coverage Gaps

A key-management review can miss real exposure if it checks only whether rotation is enabled and ignores grant drift.

Missed variant 1: a migration role keeps Decrypt access after the cutover, so stale workloads can still read protected data.

Missed variant 2: key rotation is enabled, but dependent grants and aliases still route old principals into new key material without reapproval.

Missed variant 3: service-managed grants are accepted blindly even when they cover wildcard operations or missing encryption-context constraints.

Edge Cases

  • KMS aliases can hide which backing key is actually used by an application.
  • Grant tokens and eventual consistency can make newly revoked grants appear active during short windows.
  • Cross-account grants need both source and target account ownership evidence.

Remediation Quality

  • Add gates for grant inventory, principal ownership, allowed operation scope, encryption-context constraints, last-use timestamp, expiry, and rotation impact review.
  • Require stale-grant cleanup evidence after migrations and incident response exceptions.
  • Require cross-account grant attestation from both sides before accepting residual decrypt access.

Comparison to Other Tools

Cloud posture scanners usually catch missing rotation or public policies, but they often understate grant-level drift. KMS API inventory, CloudTrail decrypt/use events, IaC policy review, and owner attestation give stronger evidence.

Overall Assessment

The key-management skill should include KMS grant sprawl and rotation drift because keys can look compliant while stale grants keep sensitive decrypt paths alive. These gates make reviews catch privilege residue without falsely rejecting documented migration windows.

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms.
  • Preferred payment method: PayPal samik4184@gmail.com
  • Expected reviewer bounty: $25 if accepted

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions