Apologies for not being able to contribute more than I have! Anyway, might have a way to clear up the KMS Key checks.
First, if a customer like myself is using customer generated key material, the following error will generate when calling from get-key-rotation-status:
Here is a proposal to fix this error and clean up the other KMS key checks - I hope you like it:
check28(){
TITLE28="$BLUE 2.8$NORMAL Ensure rotation for customer created CMKs is enabled (Scored)"
echo -e "\n$TITLE28"
for regx in $REGIONS; do
CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys --profile $PROFILE --region $regx --output text --query 'Keys[*].KeyId')
if [[ $CHECK_KMS_KEYLIST ]];then
for key in $CHECK_KMS_KEYLIST; do
CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g')
if [[ $CHECK_KMS_KEY_TYPE == "EXTERNAL" ]];then
echo -e " $BLUE Key $key in Region $regx Customer Uploaded Key Material.$NORMAL"
else
CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key --profile $PROFILE --region $regx --output text)
CHECK_KMS_DEFAULT_KEY=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Description' | sed -n '/Default master key that protects my /p')
if [[ $CHECK_KMS_KEY_ROTATION == "True" ]];then
echo -e " $OK OK! Key $key in Region $regx is set correctly$NORMAL"
elif [[ $CHECK_KMS_KEY_ROTATION == "False" && $CHECK_KMS_DEFAULT_KEY ]];then
echo -e " $NOTICE Region $regx key $key is an AWS default master key and cannot be deleted nor modified.$NORMAL"
else
echo -e " $RED WARNING! Key $key in Region $regx is not set to rotate!!!$NORMAL"
fi
fi
done
else
echo -e " $NOTICE Region $regx doesn't have encryption keys $NORMAL"
fi
done
}
It is really tricky to get this to work correctly and might consider fine tuning in the future but here is the current state for reference:
- When you create a KMS key from the AWS Management Console, an ALIAS is required.
- When you create a KMS key from the AWS CLI or CloudFormation, you cannot set an ALIAS. This makes is difficult to call kms list-aliases since AWS CLI and CloudFormation created KMS Keys will not have an ALIAS by default and will be skipped.
Ref 1: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html
Ref 2: http://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html
- You can set an ALIAS from the AWS CLI after the KMS master key has been created. Although, alias/aws/ is reserved by AWS we can't really use kms list-aliases for anything useful since neither kms get-key-rotation-status or kms describe-key reference the ALIAS.
Example of a CloudFormation generated KMS CMK:
Create an ALIAS for the CloudFormation generated KMS CMK:
Confirmed ALIAS created:
And finally a query for AWS generated keys only although I don't see any easy way to use this call with Prowler.
aws kms list-aliases --region eu-west-1 --query 'Aliases[*].AliasName' | sed -n '/alias\/aws\//p'| sed 's/[",]//g'
Ref 3: http://docs.aws.amazon.com/cli/latest/reference/kms/create-alias.html
It's kind of annoying that AWS doesn't at least let us delete the default keys.