-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
EnableKeyRotation rule for KMS (#187)
* EnableKeyRotation rule for KMS * Format * PR Suggestions Co-authored-by: Carles Lopez <carles.lopez@skyscanner.net>
- Loading branch information
1 parent
46c8975
commit 0b46775
Showing
10 changed files
with
158 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
VERSION = (1, 0, 6) | ||
VERSION = (1, 0, 7) | ||
|
||
__version__ = ".".join(map(str, VERSION)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
__all__ = ["KMSKeyEnabledKeyRotation"] | ||
|
||
import logging | ||
from typing import Dict, Optional | ||
|
||
from pycfmodel.model.cf_model import CFModel | ||
|
||
from cfripper.model.enums import RuleGranularity, RuleRisk | ||
from cfripper.model.result import Result | ||
from cfripper.rules.base_rules import Rule | ||
|
||
logger = logging.getLogger(__file__) | ||
|
||
|
||
class KMSKeyEnabledKeyRotation(Rule): | ||
""" | ||
Check if EnableKeyRotation is true for symmetric KMS keys in principals in KMS Policies. | ||
Fix: | ||
Set EnableKeyRotation to true for any symmetric KMS key. | ||
Filters context: | ||
| Parameter | Type | Description | | ||
|:-------------------:|:------------------:|:--------------------------------------------------------------:| | ||
|`config` | str | `config` variable available inside the rule | | ||
|`extras` | str | `extras` variable available inside the rule | | ||
|`logical_id` | str | ID used in Cloudformation to refer the resource being analysed | | ||
|`resource` | `KMSKey` | Resource that is being addressed | | ||
""" | ||
|
||
GRANULARITY = RuleGranularity.RESOURCE | ||
REASON = "KMS Key {} should have the key rotation enabled for symmetric keys" | ||
RISK_VALUE = RuleRisk.HIGH | ||
|
||
def invoke(self, cfmodel: CFModel, extras: Optional[Dict] = None) -> Result: | ||
result = Result() | ||
for logical_id, resource in cfmodel.resources_filtered_by_type(("AWS::KMS::Key")).items(): | ||
if not hasattr(resource, "KeySpec") or resource.Properties.get("KeySpec") == "SYMMETRIC_DEFAULT": | ||
if not hasattr(resource, "EnableKeyRotation") or resource.Properties.get("EnableKeyRotation") is False: | ||
self.add_failure_to_result( | ||
result, | ||
self.REASON.format(logical_id), | ||
resource_ids={logical_id}, | ||
context={ | ||
"config": self._config, | ||
"extras": extras, | ||
"logical_id": logical_id, | ||
"resource": resource, | ||
}, | ||
) | ||
return result |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
import pytest | ||
from pytest import fixture | ||
|
||
from cfripper.config.config import Config | ||
from cfripper.model.enums import RuleGranularity, RuleMode, RuleRisk | ||
from cfripper.model.result import Failure | ||
from cfripper.rules import KMSKeyEnabledKeyRotation | ||
from tests.utils import compare_lists_of_failures, get_cfmodel_from | ||
|
||
|
||
@fixture() | ||
def bad_template(): | ||
return get_cfmodel_from("rules/KMSEnabledKeyRotation/bad_template_symmetric_no_property.yaml").resolve() | ||
|
||
|
||
@pytest.mark.parametrize( | ||
"bad_template_path", | ||
[ | ||
"rules/KMSEnabledKeyRotation/bad_template_symmetric_keyspec_property.yaml", | ||
"rules/KMSEnabledKeyRotation/bad_template_symmetric_no_property.yaml", | ||
"rules/KMSEnabledKeyRotation/bad_template_symmetric_property.yaml", | ||
], | ||
) | ||
def test_failures_are_raised(bad_template_path): | ||
rule = KMSKeyEnabledKeyRotation(Config()) | ||
result = rule.invoke(get_cfmodel_from(bad_template_path).resolve()) | ||
|
||
assert not result.valid | ||
assert compare_lists_of_failures( | ||
result.failures, | ||
[ | ||
Failure( | ||
granularity=RuleGranularity.RESOURCE, | ||
reason="KMS Key KMSKey should have the key rotation enabled for symmetric keys", | ||
risk_value=RuleRisk.HIGH, | ||
rule="KMSKeyEnabledKeyRotation", | ||
rule_mode=RuleMode.BLOCKING, | ||
actions=None, | ||
resource_ids={"KMSKey"}, | ||
) | ||
], | ||
) | ||
|
||
|
||
def test_rule_supports_filter_config(bad_template, default_allow_all_config): | ||
rule = KMSKeyEnabledKeyRotation(default_allow_all_config) | ||
result = rule.invoke(bad_template) | ||
|
||
assert result.valid | ||
assert compare_lists_of_failures(result.failures, []) |
16 changes: 16 additions & 0 deletions
16
...s/test_templates/rules/KMSEnabledKeyRotation/bad_template_symmetric_keyspec_property.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
Resources: | ||
KMSKey: | ||
Type: AWS::KMS::Key | ||
Properties: | ||
Description: An example multi-Region primary key | ||
KeySpec: SYMMETRIC_DEFAULT | ||
KeyPolicy: | ||
Version: '2012-10-17' | ||
Id: key-default-1 | ||
Statement: | ||
- Sid: Enable IAM User Permissions | ||
Effect: Allow | ||
Principal: | ||
AWS: arn:aws:iam::111122223333:root | ||
Action: kms:* | ||
Resource: '*' |
15 changes: 15 additions & 0 deletions
15
tests/test_templates/rules/KMSEnabledKeyRotation/bad_template_symmetric_no_property.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
Resources: | ||
KMSKey: | ||
Type: AWS::KMS::Key | ||
Properties: | ||
Description: An example multi-Region primary key | ||
KeyPolicy: | ||
Version: '2012-10-17' | ||
Id: key-default-1 | ||
Statement: | ||
- Sid: Enable IAM User Permissions | ||
Effect: Allow | ||
Principal: | ||
AWS: arn:aws:iam::111122223333:root | ||
Action: kms:* | ||
Resource: '*' |
16 changes: 16 additions & 0 deletions
16
tests/test_templates/rules/KMSEnabledKeyRotation/bad_template_symmetric_property.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
Resources: | ||
KMSKey: | ||
Type: AWS::KMS::Key | ||
Properties: | ||
Description: An example multi-Region primary key | ||
EnableKeyRotation: false | ||
KeyPolicy: | ||
Version: '2012-10-17' | ||
Id: key-default-1 | ||
Statement: | ||
- Sid: Enable IAM User Permissions | ||
Effect: Allow | ||
Principal: | ||
AWS: arn:aws:iam::111122223333:root | ||
Action: kms:* | ||
Resource: '*' |