Merge pull request #37 from epam/test3

new: added policy ecc-aws-572-disabled_kms_keys_removed

policies/ecc-aws-572-disabled_kms_keys_removed.yml

@@ -0,0 +1,17 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-572-disabled_kms_keys_removed
+    comment: '010002102000'
+    description: |
+      Disabled AWS KMS Customer Managed Key
+    resource: aws.kms-key
+    filters:
+      - type: value
+        key: KeyState
+        value: Disabled

terraform/ecc-aws-572-disabled_kms_keys_removed/green/kms.tf

@@ -0,0 +1,32 @@
+resource "aws_kms_key" "this" {
+  description             = "Key to encrypt and decrypt secret parameters"
+  key_usage               = "ENCRYPT_DECRYPT"
+  policy                  = data.aws_iam_policy_document.this.json
+  deletion_window_in_days = 7
+}
+
+resource "aws_kms_alias" "this" {
+  name          = "alias/k-572-green"
+  target_key_id = "${aws_kms_key.this.key_id}"
+}
+
+data "aws_caller_identity" "this" {}
+
+data "aws_iam_policy_document" "this" {
+  statement {
+    sid    = "Allow root"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.this.account_id}:root",
+      ]
+    }
+    actions = [
+      "kms:*",
+    ]
+    resources = [
+      "*",
+    ]
+  }
+}

terraform/ecc-aws-572-disabled_kms_keys_removed/green/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-572-disabled_kms_keys_removed"
+      ComplianceStatus = "Green"
+    }
+  }
+}

terraform/ecc-aws-572-disabled_kms_keys_removed/green/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-572-disabled_kms_keys_removed/green/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}

terraform/ecc-aws-572-disabled_kms_keys_removed/iam/572-policy.json

@@ -0,0 +1,16 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "kms:ListKeys",
+                "kms:DescribeKey",
+                "kms:ListAliases",
+                "tag:GetResources"
+            ],
+            "Resource": "*"
+        }
+    ]
+}

terraform/ecc-aws-572-disabled_kms_keys_removed/red/kms.tf

@@ -0,0 +1,33 @@
+resource "aws_kms_key" "this" {
+  description             = "Key to encrypt and decrypt secret parameters"
+  key_usage               = "ENCRYPT_DECRYPT"
+  policy                  = data.aws_iam_policy_document.this.json
+  deletion_window_in_days = 7
+  is_enabled              = false
+}
+
+resource "aws_kms_alias" "this" {
+  name          = "alias/k-572-red"
+  target_key_id = "${aws_kms_key.this.key_id}"
+}
+
+data "aws_caller_identity" "this" {}
+
+data "aws_iam_policy_document" "this" {
+  statement {
+    sid    = "Allow root"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.this.account_id}:root",
+      ]
+    }
+    actions = [
+      "kms:*",
+    ]
+    resources = [
+      "*",
+    ]
+  }
+}

terraform/ecc-aws-572-disabled_kms_keys_removed/red/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-572-disabled_kms_keys_removed"
+      ComplianceStatus = "Red"
+    }
+  }
+}

terraform/ecc-aws-572-disabled_kms_keys_removed/red/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-572-disabled_kms_keys_removed/red/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}

tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.DescribeKey_1.json

@@ -0,0 +1,33 @@
+{
+    "status_code": 200,
+    "data": {
+        "KeyMetadata": {
+            "AWSAccountId": "111111111111",
+            "KeyId": "861f5723-3ee9-426d-b819-bb23227aaa83",
+            "Arn": "arn:aws:kms:us-east-1:111111111111:key/861f5723-3ee9-426d-b819-bb23227aaa83",
+            "CreationDate": {
+                "__class__": "datetime",
+                "year": 2023,
+                "month": 9,
+                "day": 21,
+                "hour": 9,
+                "minute": 40,
+                "second": 1,
+                "microsecond": 876000
+            },
+            "Enabled": true,
+            "Description": "Key to encrypt and decrypt secret parameters",
+            "KeyUsage": "ENCRYPT_DECRYPT",
+            "KeyState": "Enabled",
+            "Origin": "AWS_KMS",
+            "KeyManager": "CUSTOMER",
+            "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
+            "KeySpec": "SYMMETRIC_DEFAULT",
+            "EncryptionAlgorithms": [
+                "SYMMETRIC_DEFAULT"
+            ],
+            "MultiRegion": false
+        },
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.ListAliases_1.json

@@ -0,0 +1,34 @@
+{
+    "status_code": 200,
+    "data": {
+        "Aliases": [
+            {
+                "AliasName": "alias/k-572-green",
+                "AliasArn": "arn:aws:kms:us-east-1:111111111111:alias/k-572-green",
+                "TargetKeyId": "861f5723-3ee9-426d-b819-bb23227aaa83",
+                "CreationDate": {
+                    "__class__": "datetime",
+                    "year": 2023,
+                    "month": 9,
+                    "day": 21,
+                    "hour": 9,
+                    "minute": 40,
+                    "second": 12,
+                    "microsecond": 301000
+                },
+                "LastUpdatedDate": {
+                    "__class__": "datetime",
+                    "year": 2023,
+                    "month": 9,
+                    "day": 21,
+                    "hour": 9,
+                    "minute": 40,
+                    "second": 12,
+                    "microsecond": 301000
+                }
+            }
+        ],
+        "Truncated": false,
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.ListKeys_1.json

@@ -0,0 +1,13 @@
+{
+    "status_code": 200,
+    "data": {
+        "Keys": [
+            {
+                "KeyId": "861f5723-3ee9-426d-b819-bb23227aaa83",
+                "KeyArn": "arn:aws:kms:us-east-1:111111111111:key/861f5723-3ee9-426d-b819-bb23227aaa83"
+            }
+        ],
+        "Truncated": false,
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/tagging.GetResources_1.json

@@ -0,0 +1,22 @@
+{
+    "status_code": 200,
+    "data": {
+        "PaginationToken": "",
+        "ResourceTagMappingList": [
+            {
+                "ResourceARN": "arn:aws:kms:us-east-1:111111111111:key/cc3f0030-0172-4cbe-b6d6-a6aa089aed29",
+                "Tags": [
+                    {
+                        "Key": "CustodianRule",
+                        "Value": "epam-aws-185-kms_key_rotation_is_enabled"
+                    },
+                    {
+                        "Key": "ComplianceStatus",
+                        "Value": "Green"
+                    }
+                ]
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.DescribeKey_1.json

@@ -0,0 +1,33 @@
+{
+    "status_code": 200,
+    "data": {
+        "KeyMetadata": {
+            "AWSAccountId": "111111111111",
+            "KeyId": "6af1714f-fcf8-43df-8719-e0f0ad61618f",
+            "Arn": "arn:aws:kms:us-east-1:111111111111:key/6af1714f-fcf8-43df-8719-e0f0ad61618f",
+            "CreationDate": {
+                "__class__": "datetime",
+                "year": 2023,
+                "month": 9,
+                "day": 21,
+                "hour": 9,
+                "minute": 40,
+                "second": 24,
+                "microsecond": 551000
+            },
+            "Enabled": false,
+            "Description": "Key to encrypt and decrypt secret parameters",
+            "KeyUsage": "ENCRYPT_DECRYPT",
+            "KeyState": "Disabled",
+            "Origin": "AWS_KMS",
+            "KeyManager": "CUSTOMER",
+            "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
+            "KeySpec": "SYMMETRIC_DEFAULT",
+            "EncryptionAlgorithms": [
+                "SYMMETRIC_DEFAULT"
+            ],
+            "MultiRegion": false
+        },
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.ListAliases_1.json

@@ -0,0 +1,34 @@
+{
+    "status_code": 200,
+    "data": {
+        "Aliases": [
+            {
+                "AliasName": "alias/k-572-red",
+                "AliasArn": "arn:aws:kms:us-east-1:111111111111:alias/k-572-red",
+                "TargetKeyId": "6af1714f-fcf8-43df-8719-e0f0ad61618f",
+                "CreationDate": {
+                    "__class__": "datetime",
+                    "year": 2023,
+                    "month": 9,
+                    "day": 21,
+                    "hour": 9,
+                    "minute": 41,
+                    "second": 4,
+                    "microsecond": 631000
+                },
+                "LastUpdatedDate": {
+                    "__class__": "datetime",
+                    "year": 2023,
+                    "month": 9,
+                    "day": 21,
+                    "hour": 9,
+                    "minute": 41,
+                    "second": 4,
+                    "microsecond": 631000
+                }
+            }
+        ],
+        "Truncated": false,
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.ListKeys_1.json

@@ -0,0 +1,13 @@
+{
+    "status_code": 200,
+    "data": {
+        "Keys": [
+            {
+                "KeyId": "6af1714f-fcf8-43df-8719-e0f0ad61618f",
+                "KeyArn": "arn:aws:kms:us-east-1:111111111111:key/6af1714f-fcf8-43df-8719-e0f0ad61618f"
+            }
+        ],
+        "Truncated": false,
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/tagging.GetResources_1.json

@@ -0,0 +1,22 @@
+{
+    "status_code": 200,
+    "data": {
+        "PaginationToken": "",
+        "ResourceTagMappingList": [
+            {
+                "ResourceARN": "arn:aws:kms:us-east-1:111111111111:key/6af1714f-fcf8-43df-8719-e0f0ad61618f",
+                "Tags": [
+                    {
+                        "Key": "CustodianRule",
+                        "Value": "ecc-aws-572-disabled_kms_keys_removed"
+                    },
+                    {
+                        "Key": "ComplianceStatus",
+                        "Value": "Red"
+                    }
+                ]
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}

tests/ecc-aws-572-disabled_kms_keys_removed/red_policy_test.py

@@ -0,0 +1,5 @@
+class PolicyTest(object):
+
+    def test_resources(self, base_test, resources):
+        base_test.assertEqual(len(resources), 1)
+        base_test.assertEqual(resources[0]["KeyState"], "Disabled")