From cc31872a7fa5e715b002a252553ffa392ada22de Mon Sep 17 00:00:00 2001
From: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Date: Fri, 9 Jun 2023 13:06:06 +0200
Subject: [PATCH] fix(kms): check only KMS CMK tags (#2468)

---
 .../providers/aws/services/kms/kms_service.py | 23 +++++++++++--------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/prowler/providers/aws/services/kms/kms_service.py b/prowler/providers/aws/services/kms/kms_service.py
index b363ae01..816e8b5b 100644
--- a/prowler/providers/aws/services/kms/kms_service.py
+++ b/prowler/providers/aws/services/kms/kms_service.py
@@ -113,16 +113,19 @@ class KMS:
     def __list_resource_tags__(self):
         logger.info("KMS - List Tags...")
         for key in self.keys:
-            try:
-                regional_client = self.regional_clients[key.region]
-                response = regional_client.list_resource_tags(
-                    KeyId=key.id,
-                )["Tags"]
-                key.tags = response
-            except Exception as error:
-                logger.error(
-                    f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
-                )
+            if (
+                key.manager and key.manager == "CUSTOMER"
+            ):  # only check customer KMS keys
+                try:
+                    regional_client = self.regional_clients[key.region]
+                    response = regional_client.list_resource_tags(
+                        KeyId=key.id,
+                    )["Tags"]
+                    key.tags = response
+                except Exception as error:
+                    logger.error(
+                        f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                    )
 
 
 class Key(BaseModel):