#!/usr/bin/env bash # Prowler - the handy cloud security tool (c) by Toni de la Fuente # # This Prowler check is licensed under a # Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. # # You should have received a copy of the license along with this # work. If not, see . CHECK_ID_check28="2.8" CHECK_TITLE_check28="[check28] Ensure rotation for customer created CMKs is enabled (Scored)" CHECK_SCORED_check28="SCORED" CHECK_TYPE_check28="LEVEL2" CHECK_SEVERITY_check28="Medium" CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey" CHECK_ALTERNATE_check208="check28" check28(){ # "Ensure rotation for customer created CMKs is enabled (Scored)" for regx in $REGIONS; do CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId') if [[ $CHECK_KMS_KEYLIST ]];then CHECK_KMS_KEYLIST_NO_DEFAULT=$( for key in $CHECK_KMS_KEYLIST; do $AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.{key:KeyId,state:KeyState,man:KeyManager}' --output text|grep Enabled$|grep -v AWS| awk '{ print $1 }' done ) if [[ $CHECK_KMS_KEYLIST_NO_DEFAULT ]]; then for key in $CHECK_KMS_KEYLIST_NO_DEFAULT; do CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g') if [[ "$CHECK_KMS_KEY_TYPE" == "EXTERNAL" ]];then textPass "$regx: Key $key in Region $regx Customer Uploaded Key Material" "$regx" else CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key $PROFILE_OPT --region $regx --output text) if [[ "$CHECK_KMS_KEY_ROTATION" == "True" ]];then textPass "$regx: Key $key is set correctly" "$regx" else textFail "$regx: Key $key is not set to rotate!" "$regx" fi fi done else textInfo "$regx: This region doesn't have CUSTOM encryption keys" "$regx" fi else textInfo "$regx: This region doesn't have ANY encryption keys" "$regx" fi done }