search

mitre / aws-foundations-cis-baseline

InSpec profile to validate your VPC to the standards of the CIS Amazon Web Services Foundations Benchmark
Other
77 stars 30 forks source link

Support skipping KMS keys #109

Closed ben-harvey closed 11 months ago

ben-harvey commented 2 years ago

This improvement would allow skipping a list of KMS keys defined by the user in the inputs.yml, in the same manner as security groups and S3 buckets. One possible implementation would look like: 

  - name: exception_keys_list
    description: 'list of KMS keys exempted from inspection'
    type: Array
    value:
      - 'exception_key_alias' (or 'exception_key_id', if that makes more sense)

To clarify a use case, ITOPS configures certain KMS keys for ADOs. ADOs don't have IAM permissions to perform actions on these keys, which leads to warnings like: 

WARN: AWS Service Error encountered running a control with Resource aws_kms_key. Error message: User: arn:aws:iam::{account}:user/{user} is not authorized to perform: kms:GetKeyRotationStatus on resource: arn:aws:kms:us-east-1:{account}:key/{id} because no resource-based policy allows the kms:GetKeyRotationStatus action. You should address this error to ensure your controls are behaving as expected.
aaronlippold commented 2 years ago

I have noticed erros like this as well. I will look into it over the next day or two

aaronlippold commented 11 months ago

Please review the addition and also determine with state when their are no keys to review - if we are in NA or NR.

aaronlippold commented 11 months ago

Can you also give a hand at running the v2 branch - please review the useful inputs for data filtering - and make sure your issue has been resolved.

aaronlippold commented 11 months ago

I believe the current commits in https://github.com/mitre/aws-foundations-cis-baseline/pull/113 address this issue

but searching through the controls for V2 I think that requirement may be OBE so the input may end up going away?

ben-harvey commented 11 months ago

Can you also give a hand at running the v2 branch - please review the useful inputs for data filtering - and make sure your issue has been resolved.

Hi @aaronlippold, unfortunately I no longer have access to the resources related to this issue, which I created when on an embedding rotation with MACFin. You could try reaching out to Sam Daniel on CMS Slack (@sam) to see if this is still an issue for them

aaronlippold commented 11 months ago

Hi Ben, will do, by the way, keep an eye, I plan to release v2 of the profile soon. :)