From 2883de016e7010cf42adc316642dbd4393cfe198 Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni@blyx.com>
Date: Mon, 22 Feb 2021 23:15:06 +0100
Subject: [PATCH] Ensure check28 only looks at symmetric keys

---
 checks/check28 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/checks/check28 b/checks/check28
index 677f732b..84863b4b 100644
--- a/checks/check28
+++ b/checks/check28
@@ -29,7 +29,7 @@ check28(){
     if [[ $CHECK_KMS_KEYLIST ]]; then
       cmk_count=0
       for key in $CHECK_KMS_KEYLIST; do
-        KMSDETAILS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.{key:KeyId,man:KeyManager,origin:Origin,state:KeyState}' --output text 2>&1)
+        KMSDETAILS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.{key:KeyId,man:KeyManager,origin:Origin,spec:CustomerMasterKeySpec,state:KeyState}' --output text 2>&1 | grep SYMMETRIC)
         if [[ $(echo "$KMSDETAILS" | grep AccessDenied) ]]; then
            textFail "$regx: Key $key Access Denied describing key"
            continue
@@ -38,7 +38,7 @@ check28(){
         KEYID=$(echo $KMSDETAILS | awk '{print $1}')
         KEYMANAGER=$(echo $KMSDETAILS | awk '{print $2}')
         KEYORIGIN=$(echo $KMSDETAILS | awk '{print $3}')
-        KEYSTATE=$(echo $KMSDETAILS | awk '{print $4}')
+        KEYSTATE=$(echo $KMSDETAILS | awk '{print $5}')
 
         if [[ "$KEYMANAGER" == "AWS" ]]; then
           continue