def test_scenario_1_disabled_status(self):
ruleParam = (
"{\"CMK_Whitelist\" : \"Otter*\", \"Admin_User_Id\" : \"AROAOTTER*\"}"
)
KMS_CLIENT_MOCK.list_aliases = MagicMock(
return_value=self.list_aliases)
KMS_CLIENT_MOCK.describe_key = MagicMock(
return_value={
"KeyMetadata": {
"KeyId": "000041d6-1111-2222-3333-4444560c5555",
"KeyManager": "CUSTOMER",
"Enabled": False,
}
})
lambda_event = build_lambda_scheduled_event(rule_parameters=ruleParam)
response = rule.lambda_handler(lambda_event, {})
print(response)
resp_expected = []
resp_expected.append(
build_expected_response(
'NOT_APPLICABLE',
'alias/testkey',
annotation='CMK alias/testkey is disabled',
))
assert_successful_evaluation(self, response, resp_expected)
def test_scenario_no_conditions(self):
ruleParam = (
"{\"CMK_Whitelist\" : \"Otter*\", \"Admin_User_Id\" : \"AROAOTTER*\"}"
)
KMS_CLIENT_MOCK.list_aliases = MagicMock(
return_value=self.list_aliases)
KMS_CLIENT_MOCK.describe_key = MagicMock(
return_value={
"KeyMetadata": {
"KeyId": "000041d6-1111-2222-3333-4444560c5555",
"KeyManager": "CUSTOMER",
"Enabled": True,
}
})
policy_doc = build_policy_doc(
actions=["kms:Encrypt", "kms:Create*", "kms:Delete*", "kms:Put*"],
has_condition=False,
)
policy_response = build_policy_response(policy_doc)
KMS_CLIENT_MOCK.get_key_policy = MagicMock(
return_value=policy_response)
lambda_event = build_lambda_scheduled_event(rule_parameters=ruleParam)
response = rule.lambda_handler(lambda_event, {})
print(response)
resp_expected = []
resp_expected.append(
build_expected_response(
'NON_COMPLIANT',
'alias/testkey',
annotation=
'Policy does not have Condition: {\"StringLike\": {\"aws:userId\": *}',
))
assert_successful_evaluation(self, response, resp_expected)
def test_scenario_3_kms_star_in_policy(self):
ruleParam = (
"{\"CMK_Whitelist\" : \"Otter*\", \"Admin_User_Id\" : \"AROAOTTER*\"}"
)
KMS_CLIENT_MOCK.list_aliases = MagicMock(
return_value=self.list_aliases)
KMS_CLIENT_MOCK.describe_key = MagicMock(
return_value={
"KeyMetadata": {
"KeyId": "000041d6-1111-2222-3333-4444560c5555",
"KeyManager": "CUSTOMER",
"Enabled": True,
}
})
policy_doc = build_policy_doc(actions="kms:*")
policy_response = build_policy_response(policy_doc)
KMS_CLIENT_MOCK.get_key_policy = MagicMock(
return_value=policy_response)
lambda_event = build_lambda_scheduled_event(rule_parameters=ruleParam)
response = rule.lambda_handler(lambda_event, {})
print(response)
resp_expected = []
resp_expected.append(
build_expected_response(
'NON_COMPLIANT',
'alias/testkey',
annotation=
'in Key Policy for alias/testkey, statement does have open KMS permissions and CMK is not whitelisted',
))
assert_successful_evaluation(self, response, resp_expected)
def test_scenario_8_admin_role_in_whitelist_no_sep_of_duty(self):
ruleParam = (
"{\"CMK_Whitelist\" : \"Otter*\", \"Admin_User_Id\" : \"AROAOTTER*\"}"
)
KMS_CLIENT_MOCK.list_aliases = MagicMock(
return_value=self.list_aliases)
KMS_CLIENT_MOCK.describe_key = MagicMock(
return_value={
"KeyMetadata": {
"KeyId": "000041d6-1111-2222-3333-4444560c5555",
"KeyManager": "CUSTOMER",
"Enabled": True,
}
})
policy_doc = build_policy_doc(
actions=["kms:Encrypt", "kms:Create*", "kms:Delete*", "kms:Put*"],
userid='AROAOTTERFGJHZSLLMNZP',
)
policy_response = build_policy_response(policy_doc)
KMS_CLIENT_MOCK.get_key_policy = MagicMock(
return_value=policy_response)
lambda_event = build_lambda_scheduled_event(rule_parameters=ruleParam)
response = rule.lambda_handler(lambda_event, {})
print(response)
resp_expected = []
resp_expected.append(
build_expected_response(
'NON_COMPLIANT',
'alias/testkey',
annotation=
'In Key Policy for alias/testkey, statement does not have separation of duties, CMK is not whitelisted, and user id is whitelisted',
))
assert_successful_evaluation(self, response, resp_expected)
def test_scenario_2_cmk_in_whitelist(self):
ruleParam = (
"{\"CMK_Whitelist\" : \"Otter*\", \"Admin_User_Id\" : \"AROAOTTER*\"}"
)
KMS_CLIENT_MOCK.list_aliases = MagicMock(
return_value={
"Aliases":
[{
"AliasName": "alias/Otter*",
"AliasArn":
"arn:aws:kms:us-east-1:01234567890:alias/testkey",
"TargetKeyId": "000041d6-1111-2222-3333-4444560c5555",
}]
})
lambda_event = build_lambda_scheduled_event(rule_parameters=ruleParam)
response = rule.lambda_handler(lambda_event, {})
print(response)
resp_expected = []
resp_expected.append(
build_expected_response(
'COMPLIANT',
'alias/Otter*',
annotation=
'CMK alias/Otter* is in whitelist for CMK Key Policy check',
))
assert_successful_evaluation(self, response, resp_expected)