prowler-cloud / prowler Goto Github PK

I got errors running extra73:
INFO! Looking for open S3 Buckets (ACLs and Policies) in all regions...
mktemp: too few X's in template ‘prowler-123456789012-mybucket.policy’
./prowler: line 1444: $TEMP_POLICY_FILE: ambiguous redirect

To resolve I changed prowler from:
TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy)
to:
TEMP_POLICY_FILE=prowler-${ACCOUNT_NUM}-${bucket}.policy

Hi,

From the AWS_CIS_Foundations_Benchmark PDF file (https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf), for the check 3.2 (page 91), it is stated that it would be necessary to check for this Filter Pattern of the specified Metric:

"filterPattern": "{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }"

Since it is not possible to check only for this because it would involve ConsoleLogin for IAM Federated Users as well (assumed roles for the federated groups in AD), and it is not possible to configure MFA for federated users (IAM Roles) as a native AWS Solution, I created the following Filter Pattern which covers the ConsoleLogin API call with success for any generic IAM User, as well as for the root user of the AWS Account:

"filterPattern": "{ ($.userIdentity.type= IAMUser || $.userIdentity.type= Root) && ($.responseElements.ConsoleLogin= Success) && ($.additionalEventData.MFAUsed != "Yes") }"

This works well from any CIS Benchmark Security Requirement. However, from a quick review of the Prowler script (Line 1058), I found the following Regex checking for:

'userIdentity.sessionContext.attributes.mfaAuthenticated.*true'

This will clearly result in an error. It checks for any Metric which looks for Logs containing the sessionContext attribute. It does not appear whenever an IAM User or the root account signs successfully to the console without MFA. It will check for all the API Calls with that parameter in the Log stream. Examples of these API Calls:

• ListInstanceProfiles
• DescribeStaleSecurityGroups
• DescribeAddresses
• etc.

And neither of the API Calls containing the sessionContext parameter have ConsoleLogin as an eventName parameter.

Can you help me with this please?

Cheers,
Gabriel

the output from aws iam list-entities-for-policy --policy-arn $SUPPORTPOLICYARN includes mutliple lines, breaking the CSV output format.

I'm thinking to add more checks that are helpful for auditing an account security, I'm thinking on detailed S3 bucket analysis or EBS snapshots permissions, among many other checks that might come up.
It would be section "Extras" outside CIS.

Should add check for RDS instances that have public IPs directly assigned.

I find the escape codes can make tool output hard to diff, grep, and parse with other tools. Any objection to me posting a PR for such a feature?

Check 110 is returning FALSE even though Number of passwords to remember is set to 24.

Manually running the command confirms that my Number of passwords to remember is set to 24

I resolved issue by changing https://github.com/Alfresco/aws-cis-security-benchmark/blob/master/prowler#L371

FROM

COMMAND110=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGION --query 'PasswordPolicy.PasswordReusePrevention' | grep PasswordReusePrevention | awk -F: '{ print $2 }'|sed 's/\ //g'|sed 's/,/ /g')

TO

COMMAND110=$($AWSCLI iam get-account-password-policy --profile $PROFILE --region $REGI ON --query 'PasswordPolicy.PasswordReusePrevention')

the third argument to titleText was removed from the not-scored items recently.

One hidden side-effect of the change - that was used to update the flag used to determine if a check was scored. I'll create PR shortly.

the ability to generate a CSV report would be immensely useful to compare findings across multiple runs and multiple profiles.

This reference doesn't add much information and may encourage uninformed users to click on unverified links. Whoever is working with the tool should also have the benchmark at hand to understand/handle issues.

I'll be happy to create a pull request for this issue, I'm just not sure how is best to tackle this.
Maybe remove all references from the reports aside from a link at the top of the report.

Even though I have this metric filter configured I get the message stating that no filters or alarms are associated.

The problem is at https://github.com/Alfresco/aws-cis-security-benchmark/blob/master/prowler#L606 since the --query argument must extract data from metricFilters.

Changing to --query 'metricFilters' appears to fix the problem.

I'm getting a strange error at https://github.com/Alfresco/aws-cis-security-benchmark/blob/master/prowler#L499

However, when I run the command manually it works:

aws cloudtrail get-trail-status --name $trail --query 'LatestCloudWatchLogsDeliveryTime' --output text|grep -v None

I noticed that the title for the 1.16 check is missing.

You can reproduce using the following command:
./prowler -c check116

It should output: 1.16 Ensure IAM policies are attached only to groups or roles (Scored)

I've found that when more than a suscription is found it doesn't display it correctly and there is an error with grep.

Hi,

there is a issue when a huge amount of snapshots are present. Report generation takes a long time.

Please add max items return constrain to this extra #72 check.

Can't get item 3.2 to resolve:
" 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored) WARNING! CloudWatch group found but no metric filters or alarms associated"

I've tried a few different things, and this is the only CloudWatch filter/alarms that still comes up. The event and alarm work though, so that's good. This is in GovCloud, which may have something to do with it? Otherwise this has been a fun tool to use!

Thanks,

Mark

I get the following errors for check112:

1.12 Ensure no root account access key exists (Scored)
./prowler: line 390: [: ==: unary operator expected
Found access key 1
./prowler: line 395: [: ==: unary operator expected
Found access key 2

I have confirmed that my Credential Report is showing FALSE for both access keys.

I tried changing line 390:

if [[ $ROOTKEY1 == "false" ]];then

This removes the unary operator expected message but result is still incorrect:

It appears that the $ROOTKEY1 and $ROOTKEY2 variables are not populating with a value.

I have two policies with almost the same names for example
arn:aws:iam::123:policy/admin-policy
arn:aws:iam::123:policy/admin-policy-full
So when this command runs on
https://github.com/Alfresco/prowler/blob/master/prowler#L859
The output throws 2 version Id's
`aws iam list-policies --region us-east-1 --query 'Policies[*].[Arn,DefaultVersionId]' --output text| grep -w "arn:aws:iam::123:policy/admin-policy" | awk '{ print $2}'

arn:aws:iam::123:policy/admin-policy v1

arn:aws:iam::123:policy/admin-policy-full v1`

The -w option didn't work as it does only a exact word match as per this
https://stackoverflow.com/questions/44315564/grep-fixed-string-is-not-grepping-exact-string-string-end-with-extra-character

Is it possible to have fix around this as well.
Thanks

Hi,

This issue is quite similar to this one except applied to check 3.2.

I implement checks with terraform based on CIS documentation (page 91 of 148).

I get a false negative as the documentation proposes { ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }
but the tool checks for userIdentity.sessionContext.attributes.mfaAuthenticated.*true.

Frankly, I wouldn't mind changing metrics to adjust to the tool, but I'd like to know why it is different. If it has been taken from an old cloudformation template, perhaps a new one has been publish in the meantime... perhaps not. Either ways, I'd like to know a little bit more.

Thanks

As security assessment tool, I don't think is good idea to allow Prowler to fix or apply changes to the infrastructure. That would mean a big change on the role that allows Prowler to get all the info (readOnly as good practice). However, I think it would be very helpful to have an option that shows a list of commands to fix or remediate all findings, then the user will chose what to run and under what role.

Mark each of the items as Level 1 or Level 2.

Add check groups for level1 and level2 to run only the benchmarks in each level.

I just finished to run the prowler script after some modifications towards my AWS Account to be compliant. However, after some modifications on it, the prowler script is still showing me Users that do not exist anymore, or even WARNING messages for issues I just solved.
Specifically:

• I deleted an IAM User that appears as not having MFA enabled.
• I created CloudWatch Alarms for all the APIs that require monitoring for the given CloudWatch Logs LogGroup, and still receiving it as a WARNING.

Thanks,
Gabriel

It would be nice if exit code for reviews that indicate warnings or failures to exit with a non-zero code so that it integrates nicely with build tooling.

Let me know what other logs would help. Here's a copy of the console output.

$ date
Mon Sep 11 10:59:05 EDT 2017
$ git clone https://github.com/Alfresco/prowler.git
Cloning into 'prowler'...
remote: Counting objects: 534, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 534 (delta 2), reused 3 (delta 1), pack-reused 527
Receiving objects: 100% (534/534), 217.04 KiB | 0 bytes/s, done.
Resolving deltas: 100% (275/275), done.
$ ./prowler -n -p $PROFILE -M csv > ~/Desktop/prowler/$PROFILE_prowler.csv

Generating "," delimited report on stdout for profile CardL_IDS, account $ACCOUNT_#
0.0 Show report generation info
...
1.04 Ensure access keys are rotated every 90 days or less (Scored)
Failed conversion of access_key_1_last_rotated'' using format %Y-%m-%d''
date: illegal time format
usage: date [-jnRu] [-d dst] [-r seconds] [-t west] [-v[+|-]val[ymwdHMS]] ...
[-f fmt date | [[[mm]dd]HH]MM[[cc]yy][.ss]] [+format]
./prowler: line 193: (1505141313 - )/60/60/24: syntax error: operand expected (error token is ")/60/60/24")
./prowler: line 519: [: -gt: unary operator expected
1.05 Ensure IAM password policy requires at least one uppercase letter (Scored)
...11

The 1.16 check fails due to an error from awscli. Apparently the list-attached-user-policies is not supported in some versions of awscli or it does not work for some environment-specific reason. If this is due to a change in the cli, then it should be updated to the relevant check, otherwise this should maybe fail more gracefully than giving an error for every user that the call is made for.

Awscli version:

aws-cli/1.4.2 Python/3.4.2 Linux/3.16.0-4-amd64 

Error message:

1.16  Ensure IAM policies are attached only to groups or roles (Scored)
usage: aws [options] <command> <subcommand> [parameters]
aws: error: argument operation: Invalid choice, valid choices are:

add-role-to-instance-profile             | add-user-to-group                       
change-password                          | create-access-key                       
create-account-alias                     | create-group                            
create-instance-profile                  | create-login-profile                    
create-role                              | create-saml-provider                    
create-user                              | create-virtual-mfa-device               
deactivate-mfa-device                    | delete-access-key                       
delete-account-alias                     | delete-account-password-policy          
delete-group                             | delete-group-policy                     
delete-instance-profile                  | delete-login-profile                    
delete-role                              | delete-role-policy                      
delete-saml-provider                     | delete-server-certificate               
delete-signing-certificate               | delete-user                             
delete-user-policy                       | delete-virtual-mfa-device               
enable-mfa-device                        | generate-credential-report              
get-account-password-policy              | get-account-summary                     
get-credential-report                    | get-group                               
get-group-policy                         | get-instance-profile                    
get-login-profile                        | get-role                                
get-role-policy                          | get-saml-provider                       
get-server-certificate                   | get-user                                
get-user-policy                          | list-access-keys                        
list-account-aliases                     | list-group-policies                     
list-groups                              | list-groups-for-user                    
list-instance-profiles                   | list-instance-profiles-for-role         
list-mfa-devices                         | list-role-policies                      
list-roles                               | list-saml-providers                     
list-server-certificates                 | list-signing-certificates               
list-user-policies                       | list-users                              
list-virtual-mfa-devices                 | put-group-policy                        
put-role-policy                          | put-user-policy                         
remove-role-from-instance-profile        | remove-user-from-group                  
resync-mfa-device                        | update-access-key                       
update-account-password-policy           | update-assume-role-policy               
update-group                             | update-login-profile                    
update-saml-provider                     | update-server-certificate               
update-signing-certificate               | update-user                             
upload-server-certificate                | upload-signing-certificate              
help                                    


Invalid choice: 'list-attached-user-policies', maybe you meant:

  * list-user-policies

https://github.com/Alfresco/prowler/blob/35da09d97a8130e2839e136c97cac48281b17c65/prowler#L719

Current Number format: 3.1, 3.2, 3.3, ... 3.10
Desired Number format: 3.01, 3.02, 3.03... 3.10

This will make it easier to sort the results in other tools.

I think it would be good idea to add a scoring system like what Lynis does, here an example:

================================================================================

  Lynis security scan details:

  Hardening index : 68 [#############       ]
  Tests performed : 205

Something like Hardening index based on the test results would be helpful to have an order of magnitude on our status in just one number (not very exhaustive but helpful). Not sure how to implement it yet though.

I noticed that the Prowler custom IAM policy (in README.md) includes "ses:sendemail".
I don't see how this is used within Prowler. Does anyone know why it is there? Can it get removed?
Thanks!

Don't know if this is good idea or keep Prowler doing its own way... I think OK! and WARNING! is fine and easy to understand too. Not very important but the change is pretty straightforward, just changing 2 lines of code.

I get the following error for check113.

line 417: [: user/XXXX.XXXX: unary operator expected

Resolved the error by replacing line 417 with:

if [[ $COMMAND113 ]]; then

However I think this is a limitation of the AWS CLI because there doesn't appear to be a way to determine whether or not the MFA device is actually hardware or not using CIS's recommended Audit check of aws iam get-account-summary | grep AccountMFAEnabled. In my case my root account has a virtual MFA assigned, not hardware but the status is 1.

https://github.com/Alfresco/aws-cis-security-benchmark/blob/master/prowler#L415 is querying VirtualMFADevices but I don't see a way to query anything hardware related with the subcommand list-mfa-devices.

Hi,

I have created a CloudTrail trail in EU-Frankfurt (eu-central-1) which logs to a CloudWatch Logs LogGroup in the same AWS Region, ALL the activities from ALL AWS Regions. This is possible as stated from the official AWS Documentation.
From the AWS_CIS_Foundations_Benchmark PDF (https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf), page 88, it is stated that we need to have Metrics, Alarms, and SNS Endpoints configured to that specific LogGroup in order to be compliant. It does not specify any AWS Region where to have this, or that we are commited to have it in every region of the AWS Account.

After a quick review from the code of the Prowler script, I found it to search for metrics of a CloudWatch Logs Group in a specific region:

METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP $PROFILE_OPT --region $REGION --query 'metricFilters' | grep AccessDenied)

This is a problem since the CloudTrail trail is seen from any AWS Region. It is propagated even if you create it in a single AWS Region. However, the same is not true for CloudWatch Logs, Metrics, and Alarms, since they are tied to a single AWS Region.
I am running the script to audit the entire AWS Account, and I would not like to specify an AWS Region when running the Prowler script (-r option).
I think it would be better to specify the CloudTrail's CloudWatch Logs LogGroup AWS Region in advance before launching the Prowler script so we do not get the following errors:

WARNING! CloudWatch group found but no metric filters or alarms associated

I have already configured all the Metrics, Alarms, and SNS Endpoints to monitor all the activities from ALL the AWS Regions, and I am still getting the above errors.

Can you help me with this please?

Cheers,
Gabriel

Running prowler with the default options skips checks 1.16 - 1.18. These checks are executed when running prowler with the -c check1 option. The default report should execute all checks right?

When I run ./prowler -c check124 I get following error:
(....some lines deleted....)
1.24 Ensure IAM policies that allow full ":" administrative privileges are not created (Scored)
INFO! Looking for custom policies: (skipping default policies - it may take few seconds...)
usage: aws [options] [ ...] [parameters]
To see help text, you can run:

aws help
aws help
aws help

Unknown options: v3

When I run bash this with bash -x I get:

• POLICY_VERSION='v2
  v3'
  ++ /usr/bin/aws iam get-policy-version --output text --policy-arn arn:aws:iam::123456789012:policy/myrole --version-id v2 v3 --query 'PolicyVersion.Document.Statement[?Effect == '''Allow''' && contains(Resource, '''''') && contains (Action, '''''')]' --profile default --region us-east-1
  usage: aws [options] [ ...] [parameters]
  To see help text, you can run:

  aws help
  aws help
  aws help

Unknown options: v3

Looks like bug with line:
POLICY_VERSION=$($AWSCLI iam list-policies --profile $PROFILE --region $REGION --query 'Policies[*].[Arn,DefaultVersionId]' --output text|grep -w $policy |awk '{ print $2}')

If there are two policies:
arn:aws:iam::123456789012:policy/mypolicy - which is v2
arn:aws:iam::123456789012:policy/mypolicy2 - which is v3

It will produce POLICY_VERSION='v2
v3'

Change line to:
POLICY_VERSION=$($AWSCLI iam list-policies --profile $PROFILE --region $REGION --query 'Policies[*].[Arn,DefaultVersionId]' --output text|grep -P "$policy\t" |awk '{ print $2}')

I have multiple AWS accounts in which I only keep users in one account and then use cross-account roles to access the other accounts with STS like this:

aws sts assume-role --role-arn "arn:aws:iam::1XXXXXXXXXXX:role/UAT-ENGINEERS" --role-session-name "CIS-Benchmark-Scan" --token-code <MFA Code> --serial-number arn:aws:iam::6XXXXXXXXXXX:mfa/bob.hope

After running this command I receive STS credentials and export them using these commands*

export AWS_ACCESS_KEY_ID=<Enter AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<Enter SecretAccessKey>
export AWS_SESSION_TOKEN=<Enter SessionToken>

However, when I run ./prowler it isn't using the STS credentials.

Hi,

Great tool! When testing i have noticed a bug with the IAM password policy queries.

The code (line 307) should be lowercase true:

from if [ $COMMAND15 == "True" ];then
to if [ $COMMAND15 == "true" ];then

and the same for lines 318, 329, 340.

Seems to be a bug with the way the IAM password policy is scored.

output of aws iam get-account-password-policy shows true for RequireLowercaseCharacters, RequireNumbers, RequireSymbols, and RequireUppercaseCharacters, however the result of IAM policy shows as missing numbers, symbols, and upper case characters.

See output below:

| GetAccountPasswordPolicy |
+-----------------------------------------+
|| PasswordPolicy ||
|+------------------------------+--------+|
|| AllowUsersToChangePassword | True ||
|| ExpirePasswords | False ||
|| HardExpiry | False ||
|| MinimumPasswordLength | 8 ||
|| RequireLowercaseCharacters | True ||
|| RequireNumbers | True ||
|| RequireSymbols | True ||
|| RequireUppercaseCharacters | True ||
|+------------------------------+--------+|

1.5 Ensure IAM password policy requires at least one uppercase letter (Scored)
WARNING! Password Policy missing upper-case requirement

1.6 Ensure IAM password policy require at least one lowercase letter (Scored)
WARNING! Password Policy missing lower-case requirement

1.7 Ensure IAM password policy require at least one symbol (Scored)
WARNING! Password Policy missing symbol requirement

1.8 Ensure IAM password policy require at least one number (Scored)
WARNING! Password Policy missing number requirement

The default SecurityAudit IAM policy only contains the following SNS actions:

"sns:GetTopicAttributes", "sns:ListTopics"

As a result, this causes an error for https://github.com/Alfresco/aws-cis-security-benchmark/blob/master/prowler#L802

An error occurred (AuthorizationError) when calling the ListSubscriptionsByTopic operation: User: arn:aws:iam::XXXXXXXX:user/BobHope is not authorized to perform: SNS:ListSubscriptionsByTopic on resource: arn:aws:sns:eu-west-1:XXXXXXXXX:PagerDuty

The IAM policy needs the following action added to remove the error:

sns:ListSubscriptionsByTopic

It'd be nice if you could have the tool only output failures. Some of these reports can be massive/difficult to parse for people who are not familiar with it, such as when your trying to audit for a large number of accounts at the same time or forwarding results to end users.

That seem reasonable?

Checks 1.5 - 1.9 are coming back with a unary operator expected response when there isn't a password policy set for the AWS account. I'm seeing the following output below for those checks:

An error occurred (NoSuchEntity) when calling the GetAccountPasswordPolicy operation: The Password Policy with domain name < ... some domain ... > cannot be found.

 1.5 Ensure IAM password policy requires at least one uppercase letter (Scored) 
./prowler: line 323: [: ==: unary operator expected
      FALSE 

An error occurred (NoSuchEntity) when calling the GetAccountPasswordPolicy operation: The Password Policy with domain name <... some domain ... > cannot be found.

 1.6 Ensure IAM password policy require at least one lowercase letter (Scored) 
./prowler: line 334: [: ==: unary operator expected
      FALSE 

An error occurred (NoSuchEntity) when calling the GetAccountPasswordPolicy operation: The Password Policy with domain name <... some domain ... > cannot be found.

 1.7 Ensure IAM password policy require at least one symbol (Scored) 
./prowler: line 345: [: ==: unary operator expected
      FALSE 

An error occurred (NoSuchEntity) when calling the GetAccountPasswordPolicy operation: The Password Policy with domain name <... some domain ... > cannot be found.

 1.8 Ensure IAM password policy require at least one number (Scored) 
./prowler: line 356: [: ==: unary operator expected
      FALSE 

An error occurred (NoSuchEntity) when calling the GetAccountPasswordPolicy operation: The Password Policy with domain name <... some domain ... > cannot be found.

 1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored) 
./prowler: line 367: [: -gt: unary operator expected
      FALSE 

Updating each of the if statements in each respective line referenced above with double brackets will remove the unary operator expected response. Updated from

if [ $COMMAND15 == "true" ];then
to

if [[ $COMMAND15 == "true" ]];then

fixed this locally.

Currently:
textOK "CloudWatch group $group found with metric filters and alarms for usage of root account"

Should be:
textOK "CloudWatch group $group found with metric filters and alarms for AWS Management Console authentication failures"

https://github.com/Alfresco/prowler/blob/master/prowler#L1182

During my initial run of prowler, the top of the output shows as follows (showing an error message for a run of aws cli):

This report is being generated using credentials below:
AWS-CLI Profile: [default] AWS Region: [us-east-1]
usage: aws [options] [ ...] [parameters]
To see help text, you can run:
aws help
aws help
aws help
aws: error: argument operation: Invalid choice, valid choices are:
assume-role | assume-role-with-saml
assume-role-with-web-identity | decode-authorization-message
get-federation-token | get-session-token
help
Colors Code for results: INFORMATIVE, OK (RECOMMENDED VALUE), CRITICAL (FIX REQUIRED)
Generating AWS IAM Credential Report....COMPLETE

It seems there is a problem running this command:

$aws sts get-caller-identity --output table --profile default --region us-east-1

usage: aws [options] [ ...] [parameters]
To see help text, you can run:

aws help
aws help
aws help
aws: error: argument operation: Invalid choice, valid choices are:

assume-role | assume-role-with-saml
assume-role-with-web-identity | decode-authorization-message
get-federation-token | get-session-token
help

I am using the latest aws cli

$aws --version
aws-cli/1.9.7 Python/2.6.6 Linux/2.6.32-573.22.1.el6.x86_64 botocore/1.3.7

Line 612 -
TITLE110="Ensure IAM password policy prevents password reuse, 24 or greater (Scored)"
This comma isn't properly escaped in the CSV output, so any results for 1.10 show as 10 columns rather than 9. Please remove this comma in TITLE110 or properly quote/escape it.

I predominantly use API keys as environment variables by way of apicreds and thus haven't really ever needed to set up AWS local profiles (and would prefer not to given the local persistent plaintext creds).

I'm wondering if there's an easy way I can use prowler in this scenario? The tool seems pretty hardcoded to expect the aws config file to exist, but would love to give it a spin.

No need to use Secret and Access Keys...Here is how:

http://docs.aws.amazon.com/cli/latest/topic/config-vars.html
The CLI config file on linux is usually in ~/.aws/config, here is an example:
[profile trusting-account]
region = us-east-1
role_arn = arn:aws:iam::222222222222:role/crossaccount-readonly
external_id = 12345
source_profile = default

The following awk error was displayed during a run of prowler:

1.12 Ensure no root account access key exists (Scored)
Found access key 1
Found access key 2
awk: warning: escape sequence \ ' treated as plain '

So this is an interesting one - for check28 I get two keys are not set to rotate:

When I run the CLI commands manually I get 8 keys - the screenshot above shows 10 keys - not sure why that is the case.

Also, the keys that are showing not set to rotate! are AWS default master keys that are created when you encrypt a resource without specifying your own CMK. One of those keys does not display from the manual query - the one from us-east-1

Unfortunately, there doesn't appear to be a way to distinguish a CMK and a default KMS master key. I tried searching using 'Keys[*].KeyArn' but do not see anyway to differentiate between CMK and AWS default keys.

I also opened a case with AWS and was told that once a default AWS key has been created, there is no way to delete it. :( AWS supposedly rotates default master keys every year but when you do a query for a key the response is False:

Apologies for not being able to contribute more than I have! Anyway, might have a way to clear up the KMS Key checks.

First, if a customer like myself is using customer generated key material, the following error will generate when calling from get-key-rotation-status:

Here is a proposal to fix this error and clean up the other KMS key checks - I hope you like it:

check28(){
  TITLE28="$BLUE 2.8$NORMAL Ensure rotation for customer created CMKs is enabled (Scored)"
  echo -e "\n$TITLE28"
  for regx in $REGIONS; do
  CHECK_KMS_KEYLIST=$($AWSCLI kms list-keys --profile $PROFILE --region $regx --output text --query 'Keys[*].KeyId')
    if [[ $CHECK_KMS_KEYLIST ]];then
      for key in $CHECK_KMS_KEYLIST; do
    	  CHECK_KMS_KEY_TYPE=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Origin' | sed 's/["]//g')
    		  if [[ $CHECK_KMS_KEY_TYPE == "EXTERNAL" ]];then
    			  echo -e "     $BLUE Key $key in Region $regx Customer Uploaded Key Material.$NORMAL"
    		  else
    			  CHECK_KMS_KEY_ROTATION=$($AWSCLI kms get-key-rotation-status --key-id $key --profile $PROFILE --region $regx --output text)
    			  CHECK_KMS_DEFAULT_KEY=$($AWSCLI kms describe-key --key-id $key --profile $PROFILE --region $regx --query 'KeyMetadata.Description' | sed -n '/Default master key that protects my /p')
    				  if [[ $CHECK_KMS_KEY_ROTATION == "True" ]];then
            			  echo -e "     $OK OK! Key $key in Region $regx is set correctly$NORMAL"            		      
            		  elif [[ $CHECK_KMS_KEY_ROTATION == "False" && $CHECK_KMS_DEFAULT_KEY ]];then
    					  echo -e "     $NOTICE Region $regx key $key is an AWS default master key and cannot be deleted nor modified.$NORMAL"
    				  else
    				    echo -e "     $RED WARNING! Key $key in Region $regx is not set to rotate!!!$NORMAL"
    				  fi
    		  fi
      done

  else
      echo -e "     $NOTICE Region $regx doesn't have encryption keys $NORMAL"
  fi
  done 
}

It is really tricky to get this to work correctly and might consider fine tuning in the future but here is the current state for reference:

1. When you create a KMS key from the AWS Management Console, an ALIAS is required.
2. When you create a KMS key from the AWS CLI or CloudFormation, you cannot set an ALIAS. This makes is difficult to call kms list-aliases since AWS CLI and CloudFormation created KMS Keys will not have an ALIAS by default and will be skipped.

Ref 1: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html

Ref 2: http://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html

3. You can set an ALIAS from the AWS CLI after the KMS master key has been created. Although, alias/aws/ is reserved by AWS we can't really use kms list-aliases for anything useful since neither kms get-key-rotation-status or kms describe-key reference the ALIAS.

Example of a CloudFormation generated KMS CMK:

Create an ALIAS for the CloudFormation generated KMS CMK:

Confirmed ALIAS created:

And finally a query for AWS generated keys only although I don't see any easy way to use this call with Prowler.

aws kms list-aliases --region eu-west-1 --query 'Aliases[*].AliasName' | sed -n '/alias\/aws\//p'| sed 's/[",]//g'

Ref 3: http://docs.aws.amazon.com/cli/latest/reference/kms/create-alias.html

It's kind of annoying that AWS doesn't at least let us delete the default keys.

First off thank you for this invaluable tool.

After running the report with the correct permissions I noticed a warning related to the aws/acm key not being set to rotate under section 2.8. The aws/acm key (http://docs.aws.amazon.com/acm/latest/userguide/kms.html) is actually a default master key and should not be checked for rotation. From the prowler output I noticed an AccessDenied error when checking the key rotation status of this key. I have other default master keys in my account and do not receive a permissions error when checking the key rotation status. Not sure why this key is setup differently.

I think this false positive could be avoided if key rotation status is only checked for non-default master keys.

Or any plans supporting it in the future?

https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/