From d7f4f99f154045af8f9b691d941d76a2507fb8e2 Mon Sep 17 00:00:00 2001
From: Tanner Doshier <git@doshitan.com>
Date: Thu, 22 Feb 2018 12:14:00 -0600
Subject: [PATCH] Improve check28

The CIS benchmarks state that only customer managed CMKs should be checked, so
exclude all AWS managed CMKs, not just the one for ACM.

Also fix up some formatting and dead code.
---
 prowler | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/prowler b/prowler
index d49581d6..1b6145cf 100755
--- a/prowler
+++ b/prowler
@@ -1153,26 +1153,23 @@ check28(){
   for regx in $REGIONS; do
   CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId')
     if [[ $CHECK_KMS_KEYLIST ]];then
-      CHECK_KMS_KEYLIST_NO_DEFAULT=$(for key in $CHECK_KMS_KEYLIST ; do $AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --output text|grep -v 'Default master key that protects my ACM private keys when no other key is defined'|awk '{ print $3 }'|awk -F'/' '{ print $2 }'; done)
+      CHECK_KMS_KEYLIST_NO_DEFAULT=$(for key in $CHECK_KMS_KEYLIST ; do $AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --output text --query 'KeyMetadata.[KeyId, KeyManager]'|grep -v 'AWS'|awk '{ print $1 }'; done)
       for key in $CHECK_KMS_KEYLIST_NO_DEFAULT; do
         CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g')
           if [[ "$CHECK_KMS_KEY_TYPE" == "EXTERNAL" ]];then
             textOK "Key $key in Region $regx Customer Uploaded Key Material." "$regx"
           else
             CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key $PROFILE_OPT --region $regx --output text)
-            #CHECK_KMS_DEFAULT_KEY=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.Description' | sed -n '/Default master key that protects my ACM private keys when no other key is defined /p'|| echo "False")
-              if [[ "$CHECK_KMS_KEY_ROTATION" == "True" ]];then
-                    textOK "Key $key in Region $regx is set correctly"
-                  elif [[ "$CHECK_KMS_KEY_ROTATION" == "False" && $CHECK_KMS_DEFAULT_KEY ]];then
-                textNotice "Region $regx key $key is an AWS default master key and cannot be deleted nor modified." "$regx"
-              else
-                textWarn "Key $key in Region $regx is not set to rotate!!!" "$regx"
-              fi
+            if [[ "$CHECK_KMS_KEY_ROTATION" == "True" ]];then
+              textOK "Key $key in Region $regx is set correctly"
+            else
+              textWarn "Key $key in Region $regx is not set to rotate!!!" "$regx"
+            fi
           fi
       done
 
   else
-      textNotice "Region $regx doesn't have encryption keys" "$regx"
+    textNotice "Region $regx doesn't have encryption keys" "$regx"
   fi
   done
 }