Skip to content

Commit

Permalink
Merge branch 'master' of github.com:cloudsploit/scans
Browse files Browse the repository at this point in the history
  • Loading branch information
matthewdfuller committed Mar 31, 2018
2 parents 6054194 + eb943c6 commit 1e166a8
Show file tree
Hide file tree
Showing 4 changed files with 128 additions and 1 deletion.
7 changes: 6 additions & 1 deletion collect.js
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ var calls = {
KMS: {
listKeys: {
property: 'Keys'
}
},
},
Lambda: {
listFunctions: {
Expand Down Expand Up @@ -364,6 +364,11 @@ var postcalls = [
reliesOnCall: 'listKeys',
filterKey: 'KeyId',
filterValue: 'KeyId'
},
getKeyPolicy: {
reliesOnService: 'kms',
reliesOnCall: 'listKeys',
override: true
}
},
SES: {
Expand Down
30 changes: 30 additions & 0 deletions collectors/kms/getKeyPolicy.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
var AWS = require('aws-sdk');
var async = require('async');

module.exports = function(AWSConfig, collection, callback) {
var kms = new AWS.KMS(AWSConfig);

async.eachLimit(collection.kms.listKeys[AWSConfig.region].data, 15, function(key, cb){
collection.kms.getKeyPolicy[AWSConfig.region][key.KeyId] = {};

// Check for the multiple subnets in that single key
var params = {
// The identifier of the CMK whose key policy you want to retrieve.
// You can use the key ID or the Amazon Resource Name (ARN) of the CMK.
KeyId: key.KeyId,
// The name of the key policy to retrieve.
PolicyName: "default"
};
kms.getKeyPolicy(params, function(err, data) {
if (err) {
collection.kms.getKeyPolicy[AWSConfig.region][key.KeyId].err = err;
}
// convert the data to json object
var policyData = JSON.parse(data.Policy);
collection.kms.getKeyPolicy[AWSConfig.region][key.KeyId].data = policyData;
cb();
});
}, function(){
callback();
});
};
1 change: 1 addition & 0 deletions exports.js
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ module.exports = {

'kmsKeyRotation' : require(__dirname + '/plugins/kms/kmsKeyRotation.js'),
'kmsScheduledDeletion' : require(__dirname + '/plugins/kms/kmsScheduledDeletion.js'),
'kmsKeyPolicy' : require(__dirname + '/plugins/kms/kmsKeyPolicy.js'),

'rdsAutomatedBackups' : require(__dirname + '/plugins/rds/rdsAutomatedBackups.js'),
'rdsEncryptionEnabled' : require(__dirname + '/plugins/rds/rdsEncryptionEnabled.js'),
Expand Down
91 changes: 91 additions & 0 deletions plugins/kms/kmsKeyPolicy.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
var async = require('async');
var helpers = require('../../helpers');
module.exports = {
title: 'KMS Key Policy',
category: 'KMS',
description: 'Detects KMS keys that are scheduled for deletion',
more_info: 'Detects KMS Keys policy for users',
recommended_action: '',
link: 'https://docs.aws.amazon.com/kms/latest/developerguide/overview.html',
apis: ['KMS:listKeys', 'STS:getCallerIdentity', 'KMS:getKeyPolicy'],

run: function(cache, settings, callback) {
var results = [];
var source = {};
var accountId = helpers.addSource(cache, source, ['sts', 'getCallerIdentity', 'us-east-1', 'data']);
const maxUserCount = 10;
const const_wildcard = '*'

async.each(helpers.regions.kms, function(region, rcb){
var listKeys = helpers.addSource(cache, source,
['kms', 'listKeys', region]);

if (!listKeys) return rcb();

if (listKeys.err || !listKeys.data){
helpers.addResult(results, 3,
'Unable to list KMS keys: ' + helpers.addError(listKeys), region);
return rcb();
}

if (!listKeys.data.length){
helpers.addResult(results, 0, 'No KMS keys found', region);
return rcb();
}

async.each(listKeys.data, function(kmsKey, kcb){

var getKeyPolicy = helpers.addSource(cache, source,
['kms', 'getKeyPolicy', region, kmsKey.KeyId]);

if (!getKeyPolicy || getKeyPolicy.err || !getKeyPolicy.data){
helpers.addResult(results, 3,
'Unable to get key policy: ' + helpers.addError(describeKey),
region, kmsKey.KeyArn);
return kcb();
}
var found = false;

for(stmnt of getKeyPolicy.data.Statement){
allowed_users = stmnt.Principal.AWS;
switch(allowed_users.constructor.name){
case 'String':
// if it is string then it have only has only one user
// check if account id is same or not if not raise warning
if (allowed_users.indexOf(accountId) == -1){
found = true;
helpers.addResult(results, 1, 'User account doesn\'t match', region, kmsKey.KeyArn);
}
break;
case 'Array':
// if it is an array
// first check for if it has more the max user
if (allowed_users.length > maxUserCount){
found = true;
helpers.addResult(results, 1, 'Key has more than '+ maxUserCount +
' users', region, kmsKey.KeyArn);
}
// the loop through it and check for same user
for (iam_arn of allowed_users) {
if (iam_arn.indexOf(accountId) == -1){
found = true;
helpers.addResult(results, 1, 'User account doesn\'t match', region, kmsKey.KeyArn);
}
}
break;
default:
helpers.addResult(results, 3, 'Unable to parse getKeyPolicy', region);
}
}
if (!found){
helpers.addResult(results, 0, 'Principal are trusted', region, kmsKey.KeyArn);
}
kcb();
}, function(){
rcb();
});
}, function(){
callback(null, results, source);
});
}
};

0 comments on commit 1e166a8

Please sign in to comment.