def test_check_for_kms_policy_with_foreign_account_no_condition(self):
auditor = KMSAuditor(accounts=['unittestaccount'])
item = KMSMasterKey(arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
config=key_no_condition)
self.assertEquals(len(item.audit_issues), 0)
auditor.check_for_kms_policy_with_foreign_account(item)
self.assertEquals(len(item.audit_issues), 1)
def test_check_for_kms_policy_with_foreign_account_no_condition(self):
auditor = KMSAuditor(accounts=['unittestaccount'])
item = KMSMasterKey(
arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
config=key_no_condition)
self.assertEquals(len(item.audit_issues), 0)
auditor.check_for_kms_policy_with_foreign_account(item)
self.assertEquals(len(item.audit_issues), 1)
def test_check_root_cross_account(self):
auditor = KMSAuditor(accounts=['TEST_ACCOUNT'])
auditor.prep_for_audit()
key0_friendly_cross_account = deepcopy(key0)
key0_friendly_cross_account['Policies'][0]['Statement'][0]['Principal']['AWS'] \
= 'arn:aws:iam::222222222222:root'
item = KMSMasterKey(
account='TEST_ACCOUNT',
arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
config=key0_friendly_cross_account)
auditor.check_root_cross_account(item)
self.assertEquals(len(item.audit_issues), 1)
self.assertEquals(item.audit_issues[0].score, 6)
def test_check_for_kms_key_rotation(self):
auditor = KMSAuditor(accounts=['unittestaccount'])
item = KMSMasterKey(arn=ARN_PREFIX + ':kms:' + AWS_DEFAULT_REGION + ':123456789123:key/key_id',
config=key0)
auditor.check_for_kms_key_rotation(item)
self.assertEquals(len(item.audit_issues), 0)
item = KMSMasterKey(arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
config=key1)
auditor.check_for_kms_key_rotation(item)
self.assertEquals(len(item.audit_issues), 1)
self.assertEquals(item.audit_issues[0].score, 1)
def test_check_internet_accessible(self):
auditor = KMSAuditor(accounts=['TEST_ACCOUNT'])
# Make sure it detects an internet accessible policy
item = KMSMasterKey(
arn=ARN_PREFIX + ':kms:' + AWS_DEFAULT_REGION + ':123456789123:key/key_id',
config=key0)
auditor.check_internet_accessible(item)
self.assertEquals(len(item.audit_issues), 1)
self.assertEquals(item.audit_issues[0].score, 10)
# Copy of key0, but not internet accessible
key0_fixed = deepcopy(key0)
key0_fixed['Policies'][0]['Statement'][0]['Principal']['AWS'] \
= 'arn:aws:iam::123456789123:role/SomeRole'
item = KMSMasterKey(
arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
config=key0_fixed)
auditor.check_internet_accessible(item)
self.assertEquals(len(item.audit_issues), 0)
def test_check_root_cross_account(self):
auditor = KMSAuditor(accounts=['TEST_ACCOUNT'])
auditor.prep_for_audit()
key0_friendly_cross_account = deepcopy(key0)
key0_friendly_cross_account['Policies'][0]['Statement'][0]['Principal']['AWS'] \
= 'arn:aws:iam::222222222222:root'
item = KMSMasterKey(
account='TEST_ACCOUNT',
arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
config=key0_friendly_cross_account)
auditor.check_root_cross_account(item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].score, 6)
def test_check_for_kms_key_rotation(self):
auditor = KMSAuditor(accounts=['unittestaccount'])
item = KMSMasterKey(arn=ARN_PREFIX + ':kms:' + AWS_DEFAULT_REGION + ':123456789123:key/key_id',
config=key0)
auditor.check_for_kms_key_rotation(item)
self.assertEqual(len(item.audit_issues), 0)
item = KMSMasterKey(arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
config=key1)
auditor.check_for_kms_key_rotation(item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].score, 1)
def pre_test_setup(self):
KMSAuditor(accounts=['TEST_ACCOUNT']).OBJECT_STORE.clear()
account_type_result = AccountType(name='AWS')
db.session.add(account_type_result)
db.session.commit()
# main
account = Account(identifier="123456789123", name="TEST_ACCOUNT",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT",
third_party=False, active=True)
# friendly
account2 = Account(identifier="222222222222", name="TEST_ACCOUNT_TWO",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT_TWO",
third_party=False, active=True)
# third party
account3 = Account(identifier="333333333333", name="TEST_ACCOUNT_THREE",
account_type_id=account_type_result.id, notes="TEST_ACCOUNT_THREE",
third_party=True, active=True)
db.session.add(account)
db.session.add(account2)
db.session.add(account3)
db.session.commit()
def test_check_internet_accessible(self):
auditor = KMSAuditor(accounts=['TEST_ACCOUNT'])
# Make sure it detects an internet accessible policy
item = KMSMasterKey(
arn=ARN_PREFIX + ':kms:' + AWS_DEFAULT_REGION + ':123456789123:key/key_id',
config=key0)
auditor.check_internet_accessible(item)
self.assertEqual(len(item.audit_issues), 1)
self.assertEqual(item.audit_issues[0].score, 10)
# Copy of key0, but not internet accessible
key0_fixed = deepcopy(key0)
key0_fixed['Policies'][0]['Statement'][0]['Principal']['AWS'] \
= 'arn:aws:iam::123456789123:role/SomeRole'
item = KMSMasterKey(
arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
config=key0_fixed)
auditor.check_internet_accessible(item)
self.assertEqual(len(item.audit_issues), 0)