Added extra736 check exposed KMS keys

checks/check_extra735

@@ -14,7 +14,7 @@ CHECK_ID_extra735="7.35"
 CHECK_TITLE_extra735="[extra735] Check if RDS instances storage is encrypted (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra735="NOT_SCORED"
 CHECK_TYPE_extra735="EXTRA"
-CHECK_ALTERNATE_check734="extra735"
+CHECK_ALTERNATE_check735="extra735"
 
 extra735(){
   textInfo "Looking for RDS Volumes in all regions...  "

checks/check_extra736

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra736="7.36"
+CHECK_TITLE_extra736="[extra736] Check exposed KMS keys (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra736="NOT_SCORED"
+CHECK_TYPE_extra736="EXTRA"
+CHECK_ALTERNATE_check736="extra736"
+
+extra736(){
+  textInfo "Looking for KMS keys in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_CUSTOMER_KMS_KEYS=$($AWSCLI kms list-aliases $PROFILE_OPT --region $regx --output text |grep -v :alias/aws/ |awk '{ print $4 }')
+    if [[ $LIST_OF_CUSTOMER_KMS_KEYS ]];then
+      for key in $LIST_OF_CUSTOMER_KMS_KEYS; do
+        CHECK_POLICY=$($AWSCLI kms get-key-policy --key-id $key --policy-name default $PROFILE_OPT --region $regx  --output text|awk '/Principal/{n=NR+1} n>=NR' |grep AWS\"\ :\ \"\\*\"$)
+        if [[ $CHECK_POLICY ]]; then
+          textFail "$regx: KMS key $key may be publicly accessible!" "$regx"
+        else
+          textPass "$regx: KMS key $key is not exposed to Public" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No KMS keys found" "$regx"
+    fi
+  done
+}

groups/group7_extras

@@ -15,4 +15,4 @@ GROUP_ID[7]='extras'
 GROUP_NUMBER[7]='7.0'
 GROUP_TITLE[7]='Extras - [extras] **********************************************'
 GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
-GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735'
+GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736'

groups/group9_gdpr

@@ -15,7 +15,7 @@ GROUP_ID[9]='gdpr'
 GROUP_NUMBER[9]='9.0'
 GROUP_TITLE[9]='GDPR Readiness - WORK IN PROGRESS!! - [gdpr] *******************'
 GROUP_RUN_BY_DEFAULT[9]='N' # run it when execute_all is called
-GROUP_CHECKS[9]='extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735'
+GROUP_CHECKS[9]='extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735,extra736'
 
 # Resources:
 # https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf