From 24e19e6b18b37183414ebc169bcbca6bebdb932c Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Fri, 3 Feb 2023 15:05:07 +0100 Subject: [PATCH] fix(errors): solve different errors in KMS, EFS and Lambda (#1835) Co-authored-by: sergargar --- ...e_api_operations_cloudtrail_logging_enabled.py | 15 ++++++++------- .../efs_not_publicly_accessible.py | 8 ++++++-- prowler/providers/aws/services/kms/kms_service.py | 9 +++++---- 3 files changed, 19 insertions(+), 13 deletions(-) diff --git a/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py b/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py index 0c46d18d..385fc6c9 100644 --- a/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py +++ b/prowler/providers/aws/services/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled.py @@ -21,13 +21,14 @@ class awslambda_function_invoke_api_operations_cloudtrail_logging_enabled(Check) lambda_recorded_cloudtrail = False for trail in cloudtrail_client.trails: for data_event in trail.data_events: - for resource in data_event.event_selector["DataResources"]: - if ( - resource["Type"] == "AWS::Lambda::Function" - and function.arn in resource["Values"] - ): - lambda_recorded_cloudtrail = True - break + if "DataResources" in data_event.event_selector: + for resource in data_event.event_selector["DataResources"]: + if ( + resource["Type"] == "AWS::Lambda::Function" + and function.arn in resource["Values"] + ): + lambda_recorded_cloudtrail = True + break if lambda_recorded_cloudtrail: break diff --git a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py index adb59b53..2b2d3437 100644 --- a/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py +++ b/prowler/providers/aws/services/efs/efs_not_publicly_accessible/efs_not_publicly_accessible.py @@ -21,8 +21,12 @@ class efs_not_publicly_accessible(Check): for statement in fs.policy["Statement"]: if statement["Effect"] == "Allow": if ( - statement["Principal"]["AWS"] == "*" - or statement["Principal"] == "*" + ("Principal" in statement and statement["Principal"] == "*") + or ( + "Principal" in statement + and "AWS" in statement["Principal"] + and statement["Principal"]["AWS"] == "*" + ) or ( "CanonicalUser" in statement["Principal"] and statement["Principal"]["CanonicalUser"] == "*" diff --git a/prowler/providers/aws/services/kms/kms_service.py b/prowler/providers/aws/services/kms/kms_service.py index 0470c40a..1bf270ab 100644 --- a/prowler/providers/aws/services/kms/kms_service.py +++ b/prowler/providers/aws/services/kms/kms_service.py @@ -73,10 +73,11 @@ class KMS: logger.info("KMS - Get Key Rotation Status...") for key in self.keys: try: - regional_client = self.regional_clients[key.region] - key.rotation_enabled = regional_client.get_key_rotation_status( - KeyId=key.id - )["KeyRotationEnabled"] + if "EXTERNAL" not in key.origin: + regional_client = self.regional_clients[key.region] + key.rotation_enabled = regional_client.get_key_rotation_status( + KeyId=key.id + )["KeyRotationEnabled"] except Exception as error: logger.error( f"{regional_client.region} -- {error.__class__.__name__}:{error.__traceback__.tb_lineno} -- {error}"