steampipe-mod-aws-compliance icon indicating copy to clipboard operation
steampipe-mod-aws-compliance copied to clipboard

Published 20 hours ago verified publisher icon turbot

secretsmanager_secret_encrypted_with_kms_cmk query conditions are incorrect

Open akumar-99 opened this issue 3 years ago • 1 comments

Describe the bug This query checks the opposite of what it should. It passes the condition when alias/aws/secretsmanager is being used and this is an AWS managed key and not a CMK

Steampipe version (steampipe -v) v0.16.4

Plugin version (steampipe plugin list) aws - 0.78.0

To reproduce

aws secretsmanager describe-secret --secret-id virginia

{
    "ARN": "arn:aws:secretsmanager:us-east-1:000000000000:secret:virginia-oqeQUq",
    "Name": "virginia",
    "RotationEnabled": true,
    "RotationLambdaARN": "arn:aws:lambda:us-east-1:000000000000:function:virginia",
    "RotationRules": {
        "AutomaticallyAfterDays": 1,
        "ScheduleExpression": "rate(1 days)"
    },
    "LastChangedDate": "2022-10-03T17:26:35.793000+00:00",
    "LastAccessedDate": "2022-10-03T00:00:00+00:00",
    "Tags": [],
    "VersionIdsToStages": {
        "c00d937a-3e53-42fa-95f9-38034caffdba": [
            "AWSPENDING"
        ],
        "c94e161b-18b3-4dcb-b282-2bf3309ed9a1": [
            "AWSCURRENT"
        ]
    },
    "CreatedDate": "2022-10-03T13:27:29.797000+00:00"
}

Running the query


+----------------------------------------------------------------------+--------+------------------------------+-----------+--------------+
| resource                                                             | status | reason                       | region    | account_id   |
+----------------------------------------------------------------------+--------+------------------------------+-----------+--------------+
| arn:aws:secretsmanager:us-east-1:000000000000:secret:virginia-oqeQUq | ok     | virginia encrypted with CMK. | us-east-1 | 000000000000 |
+----------------------------------------------------------------------+--------+------------------------------+-----------+--------------+

Expected behaviour This is not encrypted with a CMK; the output shows it encrypted with CMK.

akumar-99 avatar Oct 03 '22 18:10 akumar-99

@akumar-99 Thanks for reporting this issue!

I've just pushed a fix to the release/v0.49 branch, which is where we're staging the changes for this week's upcoming release. We'll formally release this into the main branch later this week, but if you're interested in trying it out / running the fixed query, feel free to checkout that branch and let us know if you see any other errors.

cbruno10 avatar Oct 03 '22 19:10 cbruno10