#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.

CHECK_ID_check28="2.8"
CHECK_TITLE_check28="[check28] Ensure rotation for customer created KMS CMKs is enabled"
CHECK_SCORED_check28="SCORED"
CHECK_CIS_LEVEL_check28="LEVEL2"
CHECK_SEVERITY_check28="Medium"
CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey"
CHECK_ALTERNATE_check208="check28"
CHECK_SERVICENAME_check28="kms"
CHECK_RISK_check28='Cryptographic best practices discourage extensive reuse of encryption keys. Consequently; Customer Master Keys (CMKs) should be rotated to prevent usage of compromised keys.'
CHECK_REMEDIATION_check28='For every KMS Customer Master Keys (CMKs); ensure that Rotate this key every year is enabled.'
CHECK_DOC_check28='https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html'
CHECK_CAF_EPIC_check28='Data Protection'

check28(){
  # "Ensure rotation for customer created CMKs is enabled (Scored)"
  for regx in $REGIONS; do
    CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId' --output text 2>&1)
    if [[ $(echo "$CHECK_KMS_KEYLIST" | grep AccessDenied) ]]; then
      textFail "$regx: Access Denied trying to list keys" "$regx" "$key"
      continue
    fi
    if [[ $CHECK_KMS_KEYLIST ]]; then
      cmk_count=0
      for key in $CHECK_KMS_KEYLIST; do
        KMSDETAILS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.{key:KeyId,man:KeyManager,origin:Origin,spec:CustomerMasterKeySpec,state:KeyState}' --output text 2>&1 | grep SYMMETRIC)
        if [[ $(echo "$KMSDETAILS" | grep AccessDenied) ]]; then
           textFail "$regx: Key $key Access Denied describing key" "$regx" "$key"
           continue
        fi

        KEYID=$(echo $KMSDETAILS | awk '{print $1}')
        KEYMANAGER=$(echo $KMSDETAILS | awk '{print $2}')
        KEYORIGIN=$(echo $KMSDETAILS | awk '{print $3}')
        KEYSTATE=$(echo $KMSDETAILS | awk '{print $5}')

        if [[ "$KEYMANAGER" == "AWS" ]]; then
          continue
        fi
        if [[ "$KEYSTATE" != "Enabled" ]]; then
          continue
        fi
        cmk_count=$((cmk_count + 1))

        if [[ "$KEYORIGIN" == "EXTERNAL" ]]; then
          textPass "$regx: Key $key uses imported key material" "$regx" "$key"
        else
          CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key $PROFILE_OPT --region $regx --output text 2>&1)
          if [[ $(echo "$CHECK_KMS_KEY_ROTATION" | grep AccessDenied) ]]; then
            textFail "$regx: Key $key Access Denied getting key rotation status" "$regx" "$key"
            continue
          fi
          if [[ "$CHECK_KMS_KEY_ROTATION" == "True" ]];then
            textPass "$regx: Key $key automatic rotation of the key material is enabled" "$regx" "$key"
          else
            textFail "$regx: Key $key automatic rotation of the key material is disabled" "$regx" "$key"
          fi
        fi
      done
      if [[ $cmk_count == 0 ]]; then
        textInfo "$regx: This region has no customer managed keys" "$regx" "$key"
      fi
    else
      textInfo "$regx: This region has no KMS keys" "$regx" "$key"
    fi
  done
}