diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py b/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py index 0c46d18d..385fc6c9 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py @@ -21,13 +21,14 @@ class awslambda_function_invoke_api_operations_cloudtrail_logging_enabled(Check) lambda_recorded_cloudtrail = False for trail in cloudtrail_client.trails: for data_event in trail.data_events: - for resource in data_event.event_selector["DataResources"]: - if ( - resource["Type"] == "AWS::Lambda::Function" - and function.arn in resource["Values"] - ): - lambda_recorded_cloudtrail = True - break + if "DataResources" in data_event.event_selector: + for resource in data_event.event_selector["DataResources"]: + if ( + resource["Type"] == "AWS::Lambda::Function" + and function.arn in resource["Values"] + ): + lambda_recorded_cloudtrail = True + break if lambda_recorded_cloudtrail: break diff --git a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py index adb59b53..2b2d3437 100644 --- a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py +++ b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py @@ -21,8 +21,12 @@ class efs_not_publicly_accessible(Check): for statement in fs.policy["Statement"]: if statement["Effect"] == "Allow": if ( - statement["Principal"]["AWS"] == "*" - or statement["Principal"] == "*" + ("Principal" in statement and statement["Principal"] == "*") + or ( + "Principal" in statement + and "AWS" in statement["Principal"] + and statement["Principal"]["AWS"] == "*" + ) or ( "CanonicalUser" in statement["Principal"] and statement["Principal"]["CanonicalUser"] == "*" diff --git a/prowler/providers/aws/services/kms/kms_service.py b/prowler/providers/aws/services/kms/kms_service.py index 0470c40a..1bf270ab 100644 --- a/prowler/providers/aws/services/kms/kms_service.py +++ b/prowler/providers/aws/services/kms/kms_service.py @@ -73,10 +73,11 @@ class KMS: logger.info("KMS - Get Key Rotation Status...") for key in self.keys: try: - regional_client = self.regional_clients[key.region] - key.rotation_enabled = regional_client.get_key_rotation_status( - KeyId=key.id - )["KeyRotationEnabled"] + if "EXTERNAL" not in key.origin: + regional_client = self.regional_clients[key.region] + key.rotation_enabled = regional_client.get_key_rotation_status( + KeyId=key.id + )["KeyRotationEnabled"] except Exception as error: logger.error( f"{regional_client.region} -- {error.__class__.__name__}:{error.__traceback__.tb_lineno} -- {error}"