From fa5b81b28e80aa265fcd79a96ad1a96c72b561cb Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni.delafuente@alfresco.com>
Date: Wed, 7 Nov 2018 23:37:06 -0500
Subject: [PATCH] Added extra737 KMS keys rotation

---
 README.md             | 27 +++++++++++++++------------
 checks/check_extra737 | 36 ++++++++++++++++++++++++++++++++++++
 groups/group7_extras  |  2 +-
 3 files changed, 52 insertions(+), 13 deletions(-)
 create mode 100644 checks/check_extra737

diff --git a/README.md b/README.md
index 976f5f7b..859eea52 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,7 @@ It covers hardening and security best practices for all AWS regions related to t
 - Networking (4 checks) [group4]
 - CIS Level 1 [cislevel1]
 - CIS Level 2 [cislevel2]
-- Extras (35 checks) *see Extras section* [extras]
+- Extras (37 checks) *see Extras section* [extras]
 - Forensics related group of checks [forensics-ready]
 - GDPR [gdpr] Read more [here](https://github.com/toniblyx/prowler/issues/189)
 - HIPPA [hippa]
@@ -378,7 +378,7 @@ We are adding additional checks to improve the information gather from each acco
 
 Note: Some of these checks for publicly facing resources may not actually be fully public due to other layered controls like S3 Bucket Policies, Security Groups or Network ACLs.
 
-At this moment we have 23 extra checks:
+At this moment we have 37 extra checks:
 
 - 7.1 (`extra71`) Ensure users with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS benchmark)
 - 7.2 (`extra72`) Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)
@@ -405,6 +405,18 @@ At this moment we have 23 extra checks:
 - 7.23 (`extra723`) Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)
 - 7.24 (`extra724`) Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)
 - 7.25 (`extra725`) Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)
+- 7.26 (`extra726`) Check Trusted Advisor for errors and warnings (Not Scored) (Not part of CIS benchmark)
+- 7.27 (`extra727`) Check if SQS queues have policy set as Public (Not Scored) (Not part of CIS benchmark)
+- 7.28 (`extra728`) Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark)
+- 7.29 (`extra729`) Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)
+- 7.30 (`extra730`) Check if ACM Certificates are about to expire in 7 days or less (Not Scored) (Not part of CIS benchmark)
+- 7.31 (`extra731`) Check if SNS topics have policy set as Public (Not Scored) (Not part of CIS benchmark)
+- 7.32 (`extra732`) Check if Geo restrictions are enabled in CloudFront distributions (Not Scored) (Not part of CIS benchmark)
+- 7.33 (`extra733`) Check if there are SAML Providers then STS can be used (Not Scored) (Not part of CIS benchmark)
+- 7.34 (`extra734`) Check if S3 buckets have default encryption (SSE) enabled and policy to enforce it (Not Scored) (Not part of CIS benchmark)
+- 7.35 (`extra735`) Check if RDS instances storage is encrypted (Not Scored) (Not part of CIS benchmark)
+- 7.36 (`extra736`) Check exposed KMS keys (Not Scored) (Not part of CIS benchmark)
+- 7.37 (`extra737`) Check KMS keys with key rotation disabled (Not Scored) (Not part of CIS benchmark)
 
 To check all extras in one command:
 
@@ -443,16 +455,7 @@ With this group of checks, Prowler looks if each service with logging or audit c
 - 7.23 [extra723] Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)
 - 7.24 [extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchmark)
 - 7.25 [extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)
-- 7.26 [extra726] Check Trusted Advisor for errors and warnings (Not Scored) (Not part of CIS benchmark)
-- 7.27 [extra727] Check if SQS queues have policy set as Public (Not Scored) (Not part of CIS benchmark)
-- 7.28 [extra728] Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark)
-- 7.29 [extra729] Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)
-- 7.30 [extra730] Check if ACM Certificates are about to expire in 7 days or less (Not Scored) (Not part of CIS benchmark)
-- 7.31 [extra731] Check if SNS topics have policy set as Public (Not Scored) (Not part of CIS benchmark)
-- 7.32 [extra732] Check if Geo restrictions are enabled in CloudFront distributions (Not Scored) (Not part of CIS benchmark)
-- 7.33 [extra733] Check if there are SAML Providers then STS can be used (Not Scored) (Not part of CIS benchmark)
-- 7.34 [extra734] Check if S3 buckets have default encryption (SSE) enabled and policy to enforce it (Not Scored) (Not part of CIS benchmark)
-- 7.35 [extra735] Check if RDS instances storage is encrypted (Not Scored) (Not part of CIS benchmark)
+
 
 The `forensics-ready` group of checks uses existing and extra checks. To get a forensics readiness report, run this command:
 
diff --git a/checks/check_extra737 b/checks/check_extra737
new file mode 100644
index 00000000..d10a301f
--- /dev/null
+++ b/checks/check_extra737
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra737="7.37"
+CHECK_TITLE_extra737="[extra737] Check KMS keys with key rotation disabled (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra737="NOT_SCORED"
+CHECK_TYPE_extra737="EXTRA"
+CHECK_ALTERNATE_check737="extra737"
+
+extra737(){
+  textInfo "Looking for KMS keys in all regions...  "
+  for regx in $REGIONS; do
+    LIST_OF_CUSTOMER_KMS_KEYS=$($AWSCLI kms list-aliases $PROFILE_OPT --region $regx --output text |grep -v :alias/aws/ |awk '{ print $4 }')
+    if [[ $LIST_OF_CUSTOMER_KMS_KEYS ]];then
+      for key in $LIST_OF_CUSTOMER_KMS_KEYS; do
+        CHECK_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key $PROFILE_OPT --region $regx  --output text)
+        if [[ $CHECK_ROTATION == "False" ]]; then
+          textFail "$regx: KMS key $key has rotation disabled!" "$regx"
+        else
+          textPass "$regx: KMS key $key has rotation enabled" "$regx"
+        fi
+      done
+    else
+      textInfo "$regx: No KMS keys found" "$regx"
+    fi
+  done
+}
diff --git a/groups/group7_extras b/groups/group7_extras
index 0f1eb493..d38c1f27 100644
--- a/groups/group7_extras
+++ b/groups/group7_extras
@@ -15,4 +15,4 @@ GROUP_ID[7]='extras'
 GROUP_NUMBER[7]='7.0'
 GROUP_TITLE[7]='Extras - [extras] **********************************************'
 GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
-GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736'
+GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737'