Apologies for not being able to contribute more than I have! Anyway, might have a way to clear up the KMS Key checks.
First, if a customer like myself is using customer generated key material, the following error will generate when calling from get-key-rotation-status:
![image](https://cloud.githubusercontent.com/assets/10323889/21749340/63395830-d5e0-11e6-8ed7-f872030178c7.png)
Here is a proposal to fix this error and clean up the other KMS key checks - I hope you like it:
check28(){
TITLE28="$BLUE 2.8$NORMAL Ensure rotation for customer created CMKs is enabled (Scored)"
echo -e "\n$TITLE28"
for regx in $REGIONS; do
CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys --profile $PROFILE --region $regx --output text --query 'Keys[*].KeyId')
if [[ $CHECK_KMS_KEYLIST ]];then
for key in $CHECK_KMS_KEYLIST; do
CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g')
if [[ $CHECK_KMS_KEY_TYPE == "EXTERNAL" ]];then
echo -e " $BLUE Key $key in Region $regx Customer Uploaded Key Material.$NORMAL"
else
CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key --profile $PROFILE --region $regx --output text)
CHECK_KMS_DEFAULT_KEY=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Description' | sed -n '/Default master key that protects my /p')
if [[ $CHECK_KMS_KEY_ROTATION == "True" ]];then
echo -e " $OK OK! Key $key in Region $regx is set correctly$NORMAL"
elif [[ $CHECK_KMS_KEY_ROTATION == "False" && $CHECK_KMS_DEFAULT_KEY ]];then
echo -e " $NOTICE Region $regx key $key is an AWS default master key and cannot be deleted nor modified.$NORMAL"
else
echo -e " $RED WARNING! Key $key in Region $regx is not set to rotate!!!$NORMAL"
fi
fi
done
else
echo -e " $NOTICE Region $regx doesn't have encryption keys $NORMAL"
fi
done
}
![image](https://cloud.githubusercontent.com/assets/10323889/21749428/d8928db2-d5e1-11e6-85b9-42496f72cbff.png)
It is really tricky to get this to work correctly and might consider fine tuning in the future but here is the current state for reference:
- When you create a KMS key from the AWS Management Console, an ALIAS is required.
- When you create a KMS key from the AWS CLI or CloudFormation, you cannot set an ALIAS. This makes is difficult to call kms list-aliases since AWS CLI and CloudFormation created KMS Keys will not have an ALIAS by default and will be skipped.
Ref 1: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html
Ref 2: http://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html
- You can set an ALIAS from the AWS CLI after the KMS master key has been created. Although, alias/aws/ is reserved by AWS we can't really use kms list-aliases for anything useful since neither kms get-key-rotation-status or kms describe-key reference the ALIAS.
Example of a CloudFormation generated KMS CMK:
![image](https://cloud.githubusercontent.com/assets/10323889/21749591/16cdc3c8-d5e5-11e6-9f0f-81e5ad2775ad.png)
Create an ALIAS for the CloudFormation generated KMS CMK:
![image](https://cloud.githubusercontent.com/assets/10323889/21749682/e0d056e4-d5e6-11e6-8ca8-cd473cc10acb.png)
Confirmed ALIAS created:
![image](https://cloud.githubusercontent.com/assets/10323889/21749684/faf2d1dc-d5e6-11e6-9ea3-3b1acb016aef.png)
And finally a query for AWS generated keys only although I don't see any easy way to use this call with Prowler.
aws kms list-aliases --region eu-west-1 --query 'Aliases[*].AliasName' | sed -n '/alias\/aws\//p'| sed 's/[",]//g'
![image](https://cloud.githubusercontent.com/assets/10323889/21749617/c3090328-d5e5-11e6-864f-0f3d8bb1a372.png)
Ref 3: http://docs.aws.amazon.com/cli/latest/reference/kms/create-alias.html
It's kind of annoying that AWS doesn't at least let us delete the default keys.