fix(errors): solve different errors in KMS, EFS and Lambda (#1835)

Co-authored-by: sergargar <sergargar@users.noreply.github.com>
2026-02-10 06:45:08 +00:00 · 2023-02-03 15:05:07 +01:00
parent 08376cb15e
commit 24e19e6b18
3 changed files with 19 additions and 13 deletions
--- a/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py
+++ b/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py
@@ -21,13 +21,14 @@ class awslambda_function_invoke_api_operations_cloudtrail_logging_enabled(Check)
            lambda_recorded_cloudtrail = False
            for trail in cloudtrail_client.trails:
                for data_event in trail.data_events:
-                    for resource in data_event.event_selector["DataResources"]:
-                        if (
-                            resource["Type"] == "AWS::Lambda::Function"
-                            and function.arn in resource["Values"]
-                        ):
-                            lambda_recorded_cloudtrail = True
-                            break
+                    if "DataResources" in data_event.event_selector:
+                        for resource in data_event.event_selector["DataResources"]:
+                            if (
+                                resource["Type"] == "AWS::Lambda::Function"
+                                and function.arn in resource["Values"]
+                            ):
+                                lambda_recorded_cloudtrail = True
+                                break

                    if lambda_recorded_cloudtrail:
                        break
--- a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py
+++ b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py
@@ -21,8 +21,12 @@ class efs_not_publicly_accessible(Check):
                for statement in fs.policy["Statement"]:
                    if statement["Effect"] == "Allow":
                        if (
-                            statement["Principal"]["AWS"] == "*"
-                            or statement["Principal"] == "*"
+                            ("Principal" in statement and statement["Principal"] == "*")
+                            or (
+                                "Principal" in statement
+                                and "AWS" in statement["Principal"]
+                                and statement["Principal"]["AWS"] == "*"
+                            )
                            or (
                                "CanonicalUser" in statement["Principal"]
                                and statement["Principal"]["CanonicalUser"] == "*"
--- a/prowler/providers/aws/services/kms/kms_service.py
+++ b/prowler/providers/aws/services/kms/kms_service.py
@@ -73,10 +73,11 @@ class KMS:
        logger.info("KMS - Get Key Rotation Status...")
        for key in self.keys:
            try:
-                regional_client = self.regional_clients[key.region]
-                key.rotation_enabled = regional_client.get_key_rotation_status(
-                    KeyId=key.id
-                )["KeyRotationEnabled"]
+                if "EXTERNAL" not in key.origin:
+                    regional_client = self.regional_clients[key.region]
+                    key.rotation_enabled = regional_client.get_key_rotation_status(
+                        KeyId=key.id
+                    )["KeyRotationEnabled"]
            except Exception as error:
                logger.error(
                    f"{regional_client.region} -- {error.__class__.__name__}:{error.__traceback__.tb_lineno} -- {error}"