Adding First script for KMS Key Rotation

Author: Chris Farris

.gitignore

@@ -0,0 +1,145 @@
+
+# Generic places I've shoved things from a scratch/perspective
+Notes.md
+
+
+# Build-time crud
+*.zip
+*.json
+*.log
+*.out
+*dist-info
+
+
+# Created by https://www.gitignore.io/api/osx,python
+
+### OSX ###
+*.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Python ###
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+# lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*,cover
+.hypothesis/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# dotenv
+.env
+
+# virtualenv
+.venv
+venv/
+ENV/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+
+# End of https://www.gitignore.io/api/osx,python
+

README.md

@@ -1,2 +1,7 @@
 # aws-fast-fixes
 Scripts to quickly fix security and compliance issues
+
+
+## Scripts in this repo
+
+* [kms-key-rotation](kms-key-rotation/README.md)

kms-key-rotation/README.md

@@ -0,0 +1,23 @@
+# kms-key-rotation
+
+This script will enable annual key rotation on all AWS Customer Managed Keys in your account.
+
+## Why?
+
+AWS Key rotation triggers AWS to create a new backing-key for your CMK. These backing-keys are the actual bits used for the encryption and decryption with KMS CMKs. Old backing-keys are not removed, and no data or envelop keys that were encrypted with the old backing-key are re-encrypted.
+
+This exists to make old-school on-prem crypto-compliance folks happy. However security tools and security policies often ding account owners for not having this set.
+
+## What the script does.
+
+This script will iterate through all your regions and attempt to list all your keys. If you have permission to the key (ie it is not locked down to a specific principal), it will issue the [EnableKeyRotation API](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKeyRotation.html) call.
+
+## AWS Docs
+
+* [Rotating Customer Master Keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
+* [EnableKeyRotation API](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKeyRotation.html)
+* [boto3 enable_key_rotation()](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.enable_key_rotation)
+* [boto3 list_keys()](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.list_keys)
+* [boto3 get_key_rotation_status()](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.get_key_rotation_status)
+
+

kms-key-rotation/enable-kms-key-rotation.py

@@ -0,0 +1,128 @@
+#!/usr/bin/env python3
+
+import boto3
+from botocore.exceptions import ClientError
+import os
+import logging
+# logger = logging.getLogger()
+
+
+def main(args, logger):
+
+    all_regions = get_regions(args)
+
+    for region in all_regions:
+        kms_client = boto3.client("kms", region_name = region)
+        keys = get_all_keys(kms_client)
+        for k in keys:
+            try:
+                status_response = kms_client.get_key_rotation_status(KeyId=k)
+                if 'KeyRotationEnabled' not in status_response:
+                    logger.error(f"Unable to get KeyRotationEnabled for keyid: {k}")
+                    continue
+                if status_response['KeyRotationEnabled']:
+                    logger.debug(f"KeyId {k} already has rotation enabled")
+                else:
+                    if args.actually_do_it is True:
+                        logger.info(f"Enabling KMS Key Rotation on KeyId {k}")
+                        enable_key_rotation(kms_client, k)
+                    else:
+                        logger.info(f"You Need To KMS Key Rotation on KeyId {k}")
+            except ClientError as e:
+                if e.response['Error']['Code'] == 'AccessDeniedException':
+                    logger.warning(f"Unable to get details of key {k}: AccessDenied")
+                    continue
+
+
+def enable_key_rotation(kms_client, KeyId):
+    '''Actually perform the enabling of Key rotation and checking of the status code'''
+    response = kms_client.enable_key_rotation(KeyId=KeyId)
+    if response['ResponseMetadata']['HTTPStatusCode'] == 200:
+        return(True)
+    else:
+        logger.error(f"Attempt to enable key rotation for {KeyId} returned {response}")
+        return(False)
+
+
+def get_all_keys(kms_client):
+    '''Return an array of all KMS keys for this region'''
+    keys = []
+    response = kms_client.list_keys()
+    while response['Truncated']:
+        keys += response['Keys']
+        response = kms_client.list_keys(Marker=response['NextMarker'])
+    keys += response['Keys']
+
+    key_ids = []
+    for k in keys:
+        key_ids.append(k['KeyId'])
+    return(key_ids)
+
+
+def get_regions(args):
+    '''Return a list of regions with us-east-1 first. If --region was specified, return a list wth just that'''
+
+    # If we specifed a region on the CLI, return a list of just that
+    if hasattr(args, 'region'):
+        return([args.region])
+
+    # otherwise return all the regions, us-east-1 first
+    ec2 = boto3.client('ec2')
+    response = ec2.describe_regions()
+    output = ['us-east-1']
+    for r in response['Regions']:
+        # return us-east-1 first, but dont return it twice
+        if r['RegionName'] == "us-east-1":
+            continue
+        output.append(r['RegionName'])
+    return(output)
+
+
+
+def do_args():
+    import argparse
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--debug", help="print debugging info", action='store_true')
+    parser.add_argument("--error", help="print error info only", action='store_true')
+    parser.add_argument("--timestamp", help="Output log with timestamp and toolname", action='store_true')
+    parser.add_argument("--region", help="Only Process Specified Region")
+    parser.add_argument("--actually-do-it", help="Actually Perform the action", action='store_true')
+
+    args = parser.parse_args()
+
+    return(args)
+
+if __name__ == '__main__':
+
+    args = do_args()
+
+    # Logging idea stolen from: https://docs.python.org/3/howto/logging.html#configuring-logging
+    # create console handler and set level to debug
+    logger = logging.getLogger('kms-key-rotation')
+    ch = logging.StreamHandler()
+    if args.debug:
+        logger.setLevel(logging.DEBUG)
+    elif args.error:
+        logger.setLevel(logging.ERROR)
+    else:
+        logger.setLevel(logging.INFO)
+
+    # Silence Boto3 & Friends
+    logging.getLogger('botocore').setLevel(logging.WARNING)
+    logging.getLogger('boto3').setLevel(logging.WARNING)
+    logging.getLogger('urllib3').setLevel(logging.WARNING)
+
+    # create formatter
+    if args.timestamp:
+        formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+    else:
+        formatter = logging.Formatter('%(levelname)s - %(message)s')
+    # add formatter to ch
+    ch.setFormatter(formatter)
+    # add ch to logger
+    logger.addHandler(ch)
+
+    try:
+        main(args, logger)
+    except KeyboardInterrupt:
+        exit(1)