def test_scenario_1_disabled_status(self): ruleParam = ( "{\"CMK_Whitelist\" : \"Otter*\", \"Admin_User_Id\" : \"AROAOTTER*\"}" ) KMS_CLIENT_MOCK.list_aliases = MagicMock( return_value=self.list_aliases) KMS_CLIENT_MOCK.describe_key = MagicMock( return_value={ "KeyMetadata": { "KeyId": "000041d6-1111-2222-3333-4444560c5555", "KeyManager": "CUSTOMER", "Enabled": False, } }) lambda_event = build_lambda_scheduled_event(rule_parameters=ruleParam) response = rule.lambda_handler(lambda_event, {}) print(response) resp_expected = [] resp_expected.append( build_expected_response( 'NOT_APPLICABLE', 'alias/testkey', annotation='CMK alias/testkey is disabled', )) assert_successful_evaluation(self, response, resp_expected)
def test_scenario_no_conditions(self): ruleParam = ( "{\"CMK_Whitelist\" : \"Otter*\", \"Admin_User_Id\" : \"AROAOTTER*\"}" ) KMS_CLIENT_MOCK.list_aliases = MagicMock( return_value=self.list_aliases) KMS_CLIENT_MOCK.describe_key = MagicMock( return_value={ "KeyMetadata": { "KeyId": "000041d6-1111-2222-3333-4444560c5555", "KeyManager": "CUSTOMER", "Enabled": True, } }) policy_doc = build_policy_doc( actions=["kms:Encrypt", "kms:Create*", "kms:Delete*", "kms:Put*"], has_condition=False, ) policy_response = build_policy_response(policy_doc) KMS_CLIENT_MOCK.get_key_policy = MagicMock( return_value=policy_response) lambda_event = build_lambda_scheduled_event(rule_parameters=ruleParam) response = rule.lambda_handler(lambda_event, {}) print(response) resp_expected = [] resp_expected.append( build_expected_response( 'NON_COMPLIANT', 'alias/testkey', annotation= 'Policy does not have Condition: {\"StringLike\": {\"aws:userId\": *}', )) assert_successful_evaluation(self, response, resp_expected)
def test_scenario_3_kms_star_in_policy(self): ruleParam = ( "{\"CMK_Whitelist\" : \"Otter*\", \"Admin_User_Id\" : \"AROAOTTER*\"}" ) KMS_CLIENT_MOCK.list_aliases = MagicMock( return_value=self.list_aliases) KMS_CLIENT_MOCK.describe_key = MagicMock( return_value={ "KeyMetadata": { "KeyId": "000041d6-1111-2222-3333-4444560c5555", "KeyManager": "CUSTOMER", "Enabled": True, } }) policy_doc = build_policy_doc(actions="kms:*") policy_response = build_policy_response(policy_doc) KMS_CLIENT_MOCK.get_key_policy = MagicMock( return_value=policy_response) lambda_event = build_lambda_scheduled_event(rule_parameters=ruleParam) response = rule.lambda_handler(lambda_event, {}) print(response) resp_expected = [] resp_expected.append( build_expected_response( 'NON_COMPLIANT', 'alias/testkey', annotation= 'in Key Policy for alias/testkey, statement does have open KMS permissions and CMK is not whitelisted', )) assert_successful_evaluation(self, response, resp_expected)
def test_scenario_8_admin_role_in_whitelist_no_sep_of_duty(self): ruleParam = ( "{\"CMK_Whitelist\" : \"Otter*\", \"Admin_User_Id\" : \"AROAOTTER*\"}" ) KMS_CLIENT_MOCK.list_aliases = MagicMock( return_value=self.list_aliases) KMS_CLIENT_MOCK.describe_key = MagicMock( return_value={ "KeyMetadata": { "KeyId": "000041d6-1111-2222-3333-4444560c5555", "KeyManager": "CUSTOMER", "Enabled": True, } }) policy_doc = build_policy_doc( actions=["kms:Encrypt", "kms:Create*", "kms:Delete*", "kms:Put*"], userid='AROAOTTERFGJHZSLLMNZP', ) policy_response = build_policy_response(policy_doc) KMS_CLIENT_MOCK.get_key_policy = MagicMock( return_value=policy_response) lambda_event = build_lambda_scheduled_event(rule_parameters=ruleParam) response = rule.lambda_handler(lambda_event, {}) print(response) resp_expected = [] resp_expected.append( build_expected_response( 'NON_COMPLIANT', 'alias/testkey', annotation= 'In Key Policy for alias/testkey, statement does not have separation of duties, CMK is not whitelisted, and user id is whitelisted', )) assert_successful_evaluation(self, response, resp_expected)
def test_scenario_2_cmk_in_whitelist(self): ruleParam = ( "{\"CMK_Whitelist\" : \"Otter*\", \"Admin_User_Id\" : \"AROAOTTER*\"}" ) KMS_CLIENT_MOCK.list_aliases = MagicMock( return_value={ "Aliases": [{ "AliasName": "alias/Otter*", "AliasArn": "arn:aws:kms:us-east-1:01234567890:alias/testkey", "TargetKeyId": "000041d6-1111-2222-3333-4444560c5555", }] }) lambda_event = build_lambda_scheduled_event(rule_parameters=ruleParam) response = rule.lambda_handler(lambda_event, {}) print(response) resp_expected = [] resp_expected.append( build_expected_response( 'COMPLIANT', 'alias/Otter*', annotation= 'CMK alias/Otter* is in whitelist for CMK Key Policy check', )) assert_successful_evaluation(self, response, resp_expected)