mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-11 15:25:10 +00:00
78 lines
3.4 KiB
Bash
78 lines
3.4 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Prowler - the handy cloud security tool (c) by Toni de la Fuente
|
|
#
|
|
# This Prowler check is licensed under a
|
|
# Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
|
|
#
|
|
# You should have received a copy of the license along with this
|
|
# work. If not, see <http://creativecommons.org/licenses/by-nc-sa/4.0/>.
|
|
|
|
CHECK_ID_check28="2.8"
|
|
CHECK_TITLE_check28="[check28] Ensure rotation for customer created KMS CMKs is enabled (Scored)"
|
|
CHECK_SCORED_check28="SCORED"
|
|
CHECK_TYPE_check28="LEVEL2"
|
|
CHECK_SEVERITY_check28="Medium"
|
|
CHECK_ASFF_TYPE_check28="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
CHECK_ASFF_RESOURCE_TYPE_check28="AwsKmsKey"
|
|
CHECK_ALTERNATE_check208="check28"
|
|
CHECK_SERVICENAME_check28="kms"
|
|
CHECK_RISK_check28='Cryptographic best practices discourage extensive reuse of encryption keys. Consequently; Customer Master Keys (CMKs) should be rotated to prevent usage of compromised keys.'
|
|
CHECK_REMEDIATION_check28='For every KMS Customer Master Keys (CMKs); ensure that Rotate this key every year is enabled.'
|
|
CHECK_DOC_check28='https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html'
|
|
CHECK_CAF_EPIC_check28='Data Protection'
|
|
|
|
check28(){
|
|
# "Ensure rotation for customer created CMKs is enabled (Scored)"
|
|
for regx in $REGIONS; do
|
|
CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys $PROFILE_OPT --region $regx --output text --query 'Keys[*].KeyId' --output text 2>&1)
|
|
if [[ $(echo "$CHECK_KMS_KEYLIST" | grep AccessDenied) ]]; then
|
|
textFail "Access Denied trying to list keys in $regx"
|
|
continue
|
|
fi
|
|
if [[ $CHECK_KMS_KEYLIST ]]; then
|
|
cmk_count=0
|
|
for key in $CHECK_KMS_KEYLIST; do
|
|
KMSDETAILS=$($AWSCLI kms describe-key --key-id $key $PROFILE_OPT --region $regx --query 'KeyMetadata.{key:KeyId,man:KeyManager,origin:Origin,spec:CustomerMasterKeySpec,state:KeyState}' --output text 2>&1 | grep SYMMETRIC)
|
|
if [[ $(echo "$KMSDETAILS" | grep AccessDenied) ]]; then
|
|
textFail "$regx: Key $key Access Denied describing key"
|
|
continue
|
|
fi
|
|
|
|
KEYID=$(echo $KMSDETAILS | awk '{print $1}')
|
|
KEYMANAGER=$(echo $KMSDETAILS | awk '{print $2}')
|
|
KEYORIGIN=$(echo $KMSDETAILS | awk '{print $3}')
|
|
KEYSTATE=$(echo $KMSDETAILS | awk '{print $5}')
|
|
|
|
if [[ "$KEYMANAGER" == "AWS" ]]; then
|
|
continue
|
|
fi
|
|
if [[ "$KEYSTATE" != "Enabled" ]]; then
|
|
continue
|
|
fi
|
|
cmk_count=$((cmk_count + 1))
|
|
|
|
if [[ "$KEYORIGIN" == "EXTERNAL" ]]; then
|
|
textPass "$regx: Key $key uses imported key material"
|
|
else
|
|
CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key $PROFILE_OPT --region $regx --output text 2>&1)
|
|
if [[ $(echo "$CHECK_KMS_KEY_ROTATION" | grep AccessDenied) ]]; then
|
|
textFail "$regx: Key $key Access Denied getting key rotation status"
|
|
continue
|
|
fi
|
|
if [[ "$CHECK_KMS_KEY_ROTATION" == "True" ]];then
|
|
textPass "$regx: Key $key automatic rotation of the key material is enabled"
|
|
else
|
|
textFail "$regx: Key $key automatic rotation of the key material is disabled"
|
|
fi
|
|
fi
|
|
done
|
|
if [[ $cmk_count == 0 ]]; then
|
|
textInfo "$regx: This region has no customer managed keys"
|
|
fi
|
|
else
|
|
textInfo "$regx: This region has no KMS keys"
|
|
fi
|
|
done
|
|
}
|