Fixed extra737 now doesn't fail for keys scheduled for deletion @QuinnStevens

2026-02-10 14:55:00 +00:00 · 2020-07-31 21:33:06 +02:00
parent 4a02d54ec1 93c89530ff
commit 85efe3e342
1 changed files with 4 additions and 1 deletions
--- a/checks/check_extra737
+++ b/checks/check_extra737
@@ -24,7 +24,10 @@ extra737(){
    if [[ $LIST_OF_CUSTOMER_KMS_KEYS ]];then
      for key in $LIST_OF_CUSTOMER_KMS_KEYS; do
        CHECK_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key $PROFILE_OPT --region $regx  --output text)
-        if [[ $CHECK_ROTATION == "False" ]]; then
+        CHECK_STATUS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --output json | jq -r '.KeyMetadata.KeyState')
+        if [[ $CHECK_STATUS == "PendingDeletion" ]]; then
+          textInfo "$regx: KMS key $key is pending deletion and cannot be rotated" "$regx"
+        elif [[ $CHECK_ROTATION == "False" ]]; then
          textFail "$regx: KMS key $key has rotation disabled!" "$regx"
        else
          textPass "$regx: KMS key $key has rotation enabled" "$regx"