Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prepare crypto/key for release candidate #672

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Prepare crypto/key for release candidate #672

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
627b601
Added features for Key Expiry, Regionality, Replication, Usage Limits…
vrabotka Feb 20, 2025
74306a8
Fixed no new line character at the end of file
vrabotka Feb 20, 2025
7eb0e2b
Fixed no new line character at the end of file
vrabotka Feb 20, 2025
40d5088
Update services/crypto/key/features.yaml
eddie-knight Feb 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions services/crypto/key/controls.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ common_controls:
- CCC.C04 # Log all access and changes
- CCC.C05 # Prevent access from untrusted entities
- CCC.C06 # Prevent deployment in restricted regions
- CCC.C10 # Prevent Data Replication to Destinations Outside of Defined Trust Perimeter
controls:
- id: CCC.KeyMgmt.C01
title: Alert when key versions are deleted or disabled
Expand Down
27 changes: 26 additions & 1 deletion services/crypto/key/features.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@
title: Soft Delete
description: |
Supports the ability to prevent the immediate deletion of a managed key. This includes the ability
recover accidental deletion of keys within a grace period.
to recover accidental deletion of keys within a grace period.
- id: CCC.KeyMgmt.F19
title: Delete Key
description: |
Expand All @@ -100,3 +100,28 @@
title: Key Import
description: |
Supports the ability to import externally generated keys into the KMS.
- id: CCC.KeyMgmt.F23
title: Key Expiry
description: |
Supports the ability to set an expiration date for a key
- id: CCC.KeyMgmt.F24
title: Key Regionality
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a common feature CCC.F22 # Location Lock-In.
Better to have that included under common_features and remove CCC.KeyMgmt.F24

description: |
Supports the ability to limit the storage and use of a key to specific regions
- id: CCC.KeyMgmt.F25
title: Key Replication
description: |
Supports the ability to securely replicate a key across different regions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Supports the ability to securely replicate a key across different regions
Supports the ability to securely replicate a key across different regions using automated or manual process.

- id: CCC.KeyMgmt.F26
title: Key Usage Limits
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All 3 service providers have different usage limits for keys. But do they allow it to set by the users? Can you provide some references for this capability from AWS, Azure and GCP docs?

description: |
Supports the ability to set limits on key operations
- id: CCC.KeyMgmt.F27
title: Key Permissions
description: |
Supports the ability to assign distinct permission sets to different entities for each key
- id: CCC.KeyMgmt.F28
title: Key Export
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you check whether this feature is allowed in AWS and GCP please?

description: |
Supports the ability to export keys from the KMS

Check failure on line 127 in services/crypto/key/features.yaml

View workflow job for this annotation

GitHub Actions / run-linting-check / yaml-lint 

127:3 [new-line-at-end-of-file] no new line character at the end of file

Check failure on line 127 in services/crypto/key/features.yaml

View workflow job for this annotation

GitHub Actions / run-linting-check / yaml-lint 

127:1 [trailing-spaces] trailing spaces
1 change: 1 addition & 0 deletions services/crypto/key/threats.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
common_threats:
- CCC.TH01
- CCC.TH04
threats:
- id: CCC.KeyMgmt.TH17
title: Deletion or disabling of KMS key versions leading to denial of service or data destruction
Expand Down
Loading