From 38df162976da788c91152257d5365b2f0f8b48df Mon Sep 17 00:00:00 2001
From: rinaudjaws <78592524+rinaudjaws@users.noreply.github.com>
Date: Wed, 18 Aug 2021 08:52:46 +0200
Subject: [PATCH] Remove KMS with conditions false positives

CDK for example implements callerAccount as a condition for the KMS policy resulting in too many false positives.
---
 checks/check_extra736 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/checks/check_extra736 b/checks/check_extra736
index 1c87be8e..725f5423 100644
--- a/checks/check_extra736
+++ b/checks/check_extra736
@@ -29,7 +29,7 @@ extra736(){
     LIST_OF_CUSTOMER_KMS_KEYS=$($AWSCLI kms list-aliases $PROFILE_OPT --region $regx --query "Aliases[].[AliasName,TargetKeyId]" --output text |grep -v ^alias/aws/ |awk '{ print $2 }')
     if [[ $LIST_OF_CUSTOMER_KMS_KEYS ]];then
       for key in $LIST_OF_CUSTOMER_KMS_KEYS; do
-        CHECK_POLICY=$($AWSCLI kms get-key-policy --key-id $key --policy-name default $PROFILE_OPT --region $regx  --output text|awk '/Principal/{n=NR+1} n>=NR' |grep AWS\"\ :\ \"\\*\"$)
+        CHECK_POLICY=$($AWSCLI kms get-key-policy --key-id $key --policy-name default $PROFILE_OPT --region $regx  --output text| jq '.Statement[]|select(.Effect=="Allow" and (((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Condition == null)')
         if [[ $CHECK_POLICY ]]; then
           textFail "$regx: KMS key $key may be publicly accessible!" "$regx" "$key"
         else