diff --git a/policies/ecc-aws-572-disabled_kms_keys_removed.yml b/policies/ecc-aws-572-disabled_kms_keys_removed.yml new file mode 100644 index 000000000..675030c7d --- /dev/null +++ b/policies/ecc-aws-572-disabled_kms_keys_removed.yml @@ -0,0 +1,17 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-572-disabled_kms_keys_removed + comment: '010002102000' + description: | + Disabled AWS KMS Customer Managed Key + resource: aws.kms-key + filters: + - type: value + key: KeyState + value: Disabled diff --git a/terraform/ecc-aws-572-disabled_kms_keys_removed/green/kms.tf b/terraform/ecc-aws-572-disabled_kms_keys_removed/green/kms.tf new file mode 100644 index 000000000..d44c44318 --- /dev/null +++ b/terraform/ecc-aws-572-disabled_kms_keys_removed/green/kms.tf @@ -0,0 +1,32 @@ +resource "aws_kms_key" "this" { + description = "Key to encrypt and decrypt secret parameters" + key_usage = "ENCRYPT_DECRYPT" + policy = data.aws_iam_policy_document.this.json + deletion_window_in_days = 7 +} + +resource "aws_kms_alias" "this" { + name = "alias/k-572-green" + target_key_id = "${aws_kms_key.this.key_id}" +} + +data "aws_caller_identity" "this" {} + +data "aws_iam_policy_document" "this" { + statement { + sid = "Allow root" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${data.aws_caller_identity.this.account_id}:root", + ] + } + actions = [ + "kms:*", + ] + resources = [ + "*", + ] + } +} diff --git a/terraform/ecc-aws-572-disabled_kms_keys_removed/green/provider.tf b/terraform/ecc-aws-572-disabled_kms_keys_removed/green/provider.tf new file mode 100644 index 000000000..2eb54f28a --- /dev/null +++ b/terraform/ecc-aws-572-disabled_kms_keys_removed/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-572-disabled_kms_keys_removed" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-572-disabled_kms_keys_removed/green/terraform.tfvars b/terraform/ecc-aws-572-disabled_kms_keys_removed/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-572-disabled_kms_keys_removed/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-572-disabled_kms_keys_removed/green/variables.tf b/terraform/ecc-aws-572-disabled_kms_keys_removed/green/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-572-disabled_kms_keys_removed/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-572-disabled_kms_keys_removed/iam/572-policy.json b/terraform/ecc-aws-572-disabled_kms_keys_removed/iam/572-policy.json new file mode 100644 index 000000000..1e2588a4f --- /dev/null +++ b/terraform/ecc-aws-572-disabled_kms_keys_removed/iam/572-policy.json @@ -0,0 +1,16 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "kms:ListKeys", + "kms:DescribeKey", + "kms:ListAliases", + "tag:GetResources" + ], + "Resource": "*" + } + ] +} diff --git a/terraform/ecc-aws-572-disabled_kms_keys_removed/red/kms.tf b/terraform/ecc-aws-572-disabled_kms_keys_removed/red/kms.tf new file mode 100644 index 000000000..945cca4ab --- /dev/null +++ b/terraform/ecc-aws-572-disabled_kms_keys_removed/red/kms.tf @@ -0,0 +1,33 @@ +resource "aws_kms_key" "this" { + description = "Key to encrypt and decrypt secret parameters" + key_usage = "ENCRYPT_DECRYPT" + policy = data.aws_iam_policy_document.this.json + deletion_window_in_days = 7 + is_enabled = false +} + +resource "aws_kms_alias" "this" { + name = "alias/k-572-red" + target_key_id = "${aws_kms_key.this.key_id}" +} + +data "aws_caller_identity" "this" {} + +data "aws_iam_policy_document" "this" { + statement { + sid = "Allow root" + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${data.aws_caller_identity.this.account_id}:root", + ] + } + actions = [ + "kms:*", + ] + resources = [ + "*", + ] + } +} diff --git a/terraform/ecc-aws-572-disabled_kms_keys_removed/red/provider.tf b/terraform/ecc-aws-572-disabled_kms_keys_removed/red/provider.tf new file mode 100644 index 000000000..729eae49e --- /dev/null +++ b/terraform/ecc-aws-572-disabled_kms_keys_removed/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-572-disabled_kms_keys_removed" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-572-disabled_kms_keys_removed/red/terraform.tfvars b/terraform/ecc-aws-572-disabled_kms_keys_removed/red/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-572-disabled_kms_keys_removed/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-572-disabled_kms_keys_removed/red/variables.tf b/terraform/ecc-aws-572-disabled_kms_keys_removed/red/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-572-disabled_kms_keys_removed/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.DescribeKey_1.json b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.DescribeKey_1.json new file mode 100644 index 000000000..4f4036e23 --- /dev/null +++ b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.DescribeKey_1.json @@ -0,0 +1,33 @@ +{ + "status_code": 200, + "data": { + "KeyMetadata": { + "AWSAccountId": "111111111111", + "KeyId": "861f5723-3ee9-426d-b819-bb23227aaa83", + "Arn": "arn:aws:kms:us-east-1:111111111111:key/861f5723-3ee9-426d-b819-bb23227aaa83", + "CreationDate": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 21, + "hour": 9, + "minute": 40, + "second": 1, + "microsecond": 876000 + }, + "Enabled": true, + "Description": "Key to encrypt and decrypt secret parameters", + "KeyUsage": "ENCRYPT_DECRYPT", + "KeyState": "Enabled", + "Origin": "AWS_KMS", + "KeyManager": "CUSTOMER", + "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", + "KeySpec": "SYMMETRIC_DEFAULT", + "EncryptionAlgorithms": [ + "SYMMETRIC_DEFAULT" + ], + "MultiRegion": false + }, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.ListAliases_1.json b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.ListAliases_1.json new file mode 100644 index 000000000..1255d8386 --- /dev/null +++ b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.ListAliases_1.json @@ -0,0 +1,34 @@ +{ + "status_code": 200, + "data": { + "Aliases": [ + { + "AliasName": "alias/k-572-green", + "AliasArn": "arn:aws:kms:us-east-1:111111111111:alias/k-572-green", + "TargetKeyId": "861f5723-3ee9-426d-b819-bb23227aaa83", + "CreationDate": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 21, + "hour": 9, + "minute": 40, + "second": 12, + "microsecond": 301000 + }, + "LastUpdatedDate": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 21, + "hour": 9, + "minute": 40, + "second": 12, + "microsecond": 301000 + } + } + ], + "Truncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.ListKeys_1.json b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.ListKeys_1.json new file mode 100644 index 000000000..21cca410b --- /dev/null +++ b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/kms.ListKeys_1.json @@ -0,0 +1,13 @@ +{ + "status_code": 200, + "data": { + "Keys": [ + { + "KeyId": "861f5723-3ee9-426d-b819-bb23227aaa83", + "KeyArn": "arn:aws:kms:us-east-1:111111111111:key/861f5723-3ee9-426d-b819-bb23227aaa83" + } + ], + "Truncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/tagging.GetResources_1.json b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/tagging.GetResources_1.json new file mode 100644 index 000000000..d5cc2da52 --- /dev/null +++ b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-green/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:kms:us-east-1:111111111111:key/cc3f0030-0172-4cbe-b6d6-a6aa089aed29", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "epam-aws-185-kms_key_rotation_is_enabled" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.DescribeKey_1.json b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.DescribeKey_1.json new file mode 100644 index 000000000..4147954dd --- /dev/null +++ b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.DescribeKey_1.json @@ -0,0 +1,33 @@ +{ + "status_code": 200, + "data": { + "KeyMetadata": { + "AWSAccountId": "111111111111", + "KeyId": "6af1714f-fcf8-43df-8719-e0f0ad61618f", + "Arn": "arn:aws:kms:us-east-1:111111111111:key/6af1714f-fcf8-43df-8719-e0f0ad61618f", + "CreationDate": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 21, + "hour": 9, + "minute": 40, + "second": 24, + "microsecond": 551000 + }, + "Enabled": false, + "Description": "Key to encrypt and decrypt secret parameters", + "KeyUsage": "ENCRYPT_DECRYPT", + "KeyState": "Disabled", + "Origin": "AWS_KMS", + "KeyManager": "CUSTOMER", + "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", + "KeySpec": "SYMMETRIC_DEFAULT", + "EncryptionAlgorithms": [ + "SYMMETRIC_DEFAULT" + ], + "MultiRegion": false + }, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.ListAliases_1.json b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.ListAliases_1.json new file mode 100644 index 000000000..52e2e26d2 --- /dev/null +++ b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.ListAliases_1.json @@ -0,0 +1,34 @@ +{ + "status_code": 200, + "data": { + "Aliases": [ + { + "AliasName": "alias/k-572-red", + "AliasArn": "arn:aws:kms:us-east-1:111111111111:alias/k-572-red", + "TargetKeyId": "6af1714f-fcf8-43df-8719-e0f0ad61618f", + "CreationDate": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 21, + "hour": 9, + "minute": 41, + "second": 4, + "microsecond": 631000 + }, + "LastUpdatedDate": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 21, + "hour": 9, + "minute": 41, + "second": 4, + "microsecond": 631000 + } + } + ], + "Truncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.ListKeys_1.json b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.ListKeys_1.json new file mode 100644 index 000000000..e90174745 --- /dev/null +++ b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/kms.ListKeys_1.json @@ -0,0 +1,13 @@ +{ + "status_code": 200, + "data": { + "Keys": [ + { + "KeyId": "6af1714f-fcf8-43df-8719-e0f0ad61618f", + "KeyArn": "arn:aws:kms:us-east-1:111111111111:key/6af1714f-fcf8-43df-8719-e0f0ad61618f" + } + ], + "Truncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/tagging.GetResources_1.json b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/tagging.GetResources_1.json new file mode 100644 index 000000000..343d41054 --- /dev/null +++ b/tests/ecc-aws-572-disabled_kms_keys_removed/placebo-red/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:kms:us-east-1:111111111111:key/6af1714f-fcf8-43df-8719-e0f0ad61618f", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-572-disabled_kms_keys_removed" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-572-disabled_kms_keys_removed/red_policy_test.py b/tests/ecc-aws-572-disabled_kms_keys_removed/red_policy_test.py new file mode 100644 index 000000000..c736b8361 --- /dev/null +++ b/tests/ecc-aws-572-disabled_kms_keys_removed/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]["KeyState"], "Disabled") diff --git a/version b/version index d3827e75a..cd5ac039d 100644 --- a/version +++ b/version @@ -1 +1 @@ -1.0 +2.0