Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(kms): add multi_region attribute to AWS KMS key class #6794

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

chore(kms): add multi_region attribute to AWS KMS key class #6794

wants to merge 3 commits into from
+13 −5

Conversation

wunzeco
Copy link

@wunzeco wunzeco commented Feb 3, 2025

Context

When developing a custom check to check the multi-region status of keys created in an AWS account, I discovered
that the Key class
was missing a field for the KMS Key KeyMetadata.MultiRegion data. The resulting error I encountered is given below:

E       AttributeError: 'Key' object has no attribute 'multi_region'

Please include relevant motivation and context for this PR.

If fixes an issue please add it with Fix #6792

Description

Please include a summary of the change and which issue is fixed. List any dependencies that are required for this change.

  • Addes missing multi_region field to KMS Key class to store the value of KeyMetadata.MultiRegion that is available in the KMS DescribeKey api response

See example output here

  • No additional dependencies required for this change

Checklist

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@wunzeco wunzeco requested review from a team as code owners February 3, 2025 15:12
@github-actions github-actions bot added the provider/aws Issues/PRs related with the AWS provider label Feb 3, 2025
@MrCloudSec
Copy link
Member

Good catch @wunzeco! Just out of curiosity, how is the check you are developing?

@MrCloudSec MrCloudSec linked an issue Feb 3, 2025 that may be closed by this pull request
Add a "multi_region" field that is missing in the KMS Key class #6792
Open
@wunzeco
Copy link
Author

wunzeco commented Feb 4, 2025

@MrCloudSec
I was developing a custom check to check the multi-region status of kms keys.
The use case for my organisation is this:

A customer managed key should be single region only. The rationale is that though a multi-region key can facilitate data transfer between AWS regions. However, it can also increase the risk of data exposure because managing access controls and auditing across multi regions becomes more complex, potentially allowing more attack surfaces to could result in compromise of sensitive data.

For organisations with strict data residency requirements (like mine), a multi-region key is not useful.

I'd be happy to contribute this custom check as I believe it might help others.

Currently, I got the custom check working by extending KMS class and Key class locally, which I won't have needed to do if the missing multi_region field was in place. Fortunately, it enabled me explore and be exposed more to the inner workings of this awesome project.

@wunzeco
Copy link
Author

wunzeco commented Feb 4, 2025

Investigating the failed PR build jobs

@MrCloudSec MrCloudSec changed the title fix(kms): add missing multi_region field to Key class chore(kms): add multi_region attribute to AWS KMS key class Feb 4, 2025
@MrCloudSec
Copy link
Member

@MrCloudSec I was developing a custom check to check the multi-region status of kms keys. The use case for my organisation is this:

A customer managed key should be single region only. The rationale is that though a multi-region key can facilitate data transfer between AWS regions. However, it can also increase the risk of data exposure because managing access controls and auditing across multi regions becomes more complex, potentially allowing more attack surfaces to could result in compromise of sensitive data.

For organisations with strict data residency requirements (like mine), a multi-region key is not useful.

I'd be happy to contribute this custom check as I believe it might help others.

Currently, I got the custom check working by extending KMS class and Key class locally, which I won't have needed to do if the missing multi_region field was in place. Fortunately, it enabled me explore and be exposed more to the inner workings of this awesome project.

It would be great if you can add that check here too so we can add value to the Prowler community 😄

@codecov Codecov
Copy link

codecov bot commented Feb 4, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.75%. Comparing base (763130f) to head (9b6a033).
Report is 18 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #6794      +/-   ##
==========================================
- Coverage   93.52%   88.75%   -4.78%     
==========================================
  Files          67     1195    +1128     
  Lines        6330    34492   +28162     
==========================================
+ Hits         5920    30612   +24692     
- Misses        410     3880    +3470
Flag Coverage Δ
api ?
prowler 88.75% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
prowler 88.75% <100.00%> (∅)
api ∅ <ø> (∅)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
provider/aws Issues/PRs related with the AWS provider
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add a "multi_region" field that is missing in the KMS Key class
2 participants
@wunzeco @MrCloudSec