def test_check_for_kms_key_rotation(self):
        auditor = KMSAuditor(accounts=['unittestaccount'])
        item = KMSMasterKey(arn=ARN_PREFIX + ':kms:' + AWS_DEFAULT_REGION + ':123456789123:key/key_id',
                            config=key0)

        auditor.check_for_kms_key_rotation(item)
        self.assertEqual(len(item.audit_issues), 0)

        item = KMSMasterKey(arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
                            config=key1)

        auditor.check_for_kms_key_rotation(item)

        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].score, 1)
Exemplo n.º 2
0
    def test_check_for_kms_policy_with_foreign_account_no_condition(self):
        auditor = KMSAuditor(accounts=['unittestaccount'])
        item = KMSMasterKey(
            arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
            config=key_no_condition)

        self.assertEquals(len(item.audit_issues), 0)
        auditor.check_for_kms_policy_with_foreign_account(item)
        self.assertEquals(len(item.audit_issues), 1)
    def test_check_internet_accessible(self):
        auditor = KMSAuditor(accounts=['TEST_ACCOUNT'])

        # Make sure it detects an internet accessible policy
        item = KMSMasterKey(
            arn=ARN_PREFIX + ':kms:' + AWS_DEFAULT_REGION + ':123456789123:key/key_id',
            config=key0)
        auditor.check_internet_accessible(item)

        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].score, 10)

        # Copy of key0, but not internet accessible
        key0_fixed = deepcopy(key0)
        key0_fixed['Policies'][0]['Statement'][0]['Principal']['AWS'] \
            = 'arn:aws:iam::123456789123:role/SomeRole'
        item = KMSMasterKey(
            arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
            config=key0_fixed)
        auditor.check_internet_accessible(item)
        self.assertEqual(len(item.audit_issues), 0)
    def test_check_root_cross_account(self):
        auditor = KMSAuditor(accounts=['TEST_ACCOUNT'])
        auditor.prep_for_audit()

        key0_friendly_cross_account = deepcopy(key0)
        key0_friendly_cross_account['Policies'][0]['Statement'][0]['Principal']['AWS'] \
            = 'arn:aws:iam::222222222222:root'
        item = KMSMasterKey(
            account='TEST_ACCOUNT',
            arn='arn:aws:kms:us-east-1:123456789123:key/key_id',
            config=key0_friendly_cross_account)
        auditor.check_root_cross_account(item)
        self.assertEqual(len(item.audit_issues), 1)
        self.assertEqual(item.audit_issues[0].score, 6)