Merge pull request #106 from tremble/kms

Add Terminator support for KMS and allow KMS in the CI account
mattclay · Nov 23, 2020 · 1b6bf36 · 1b6bf36
2 parents 0da0bf2 + b09e0fc
commit 1b6bf36
Show file tree

Hide file tree

Showing 3 changed files with 116 additions and 57 deletions.
diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml
@@ -1,21 +1,7 @@
 Version: '2012-10-17'
 Statement:
-  - Sid: AllowAssumeRoleTests
-    Effect: Allow
-    Action:
-      - iam:CreateRole
-      - iam:DeleteRole
-      - iam:ListInstanceProfilesForRole
-      - iam:GetInstanceProfile
-      - iam:CreateInstanceProfile
-      - iam:DeleteInstanceProfile
-      - iam:AddRoleToInstanceProfile
-      - iam:RemoveRoleFromInstanceProfile
-      - sts:AssumeRole
-    Resource:
-      - 'arn:aws:iam::{{ aws_account_id }}:instance-profile/ansible-test-*'
-      - 'arn:aws:iam::{{ aws_account_id }}:role/ansible-test-*'
-  - Sid: AllowAssumeRoleTestsAttachAndDetachRole
+
+  - Sid: AllowAssumeRoleTestsAttachAndDetachPolicy
     Effect: Allow
     Action:
       - iam:AttachRolePolicy
@@ -32,7 +18,16 @@ Statement:
           - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole'
           - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
 
-  - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees
+  # Legacy - We need to backport ansible-collections/community.aws/63 or
+  # wait until community.aws drops CI support for Ansible 2.9
+  - Sid: AllowPassRole
+    Effect: Allow
+    Action:
+      - iam:PassRole
+    Resource:
+      - 'arn:aws:iam::{{ aws_account_id }}:role/ansible_lambda_role'
+
+  - Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurNoFees
     Effect: Allow
     Action:
       - iam:ListAccountAliases
@@ -117,7 +112,19 @@ Statement:
         aws:RequestedRegion:
           - '{{ aws_region }}'
 
-  - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees
+  - Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurFees
+    Effect: Allow
+    Action:
+      - kms:CancelKeyDeletion
+      - kms:CreateKey
+      - kms:GenerateRandom
+    Resource: "*"
+    Condition:
+      StringEquals:
+        aws:RequestedRegion:
+          - '{{ aws_region }}'
+
+  - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees
     Effect: Allow
     Action:
       - iam:GetRole
@@ -127,27 +134,53 @@ Statement:
       - iam:ListRoleTags
       - iam:TagRole
       - iam:UntagRole
-    Resource:
-      - 'arn:aws:iam::{{ aws_account_id }}:role/*'
-  - Sid: AllowPassRole
-    Effect: Allow
-    Action:
-      - iam:PassRole
-    Resource:
-      - 'arn:aws:iam::{{ aws_account_id }}:role/ansible-test-*'
-      # Legacy - We need to backport ansible-collections/community.aws/63 or
-      # wait until community.aws drops CI support for Ansible 2.9
-      - 'arn:aws:iam::{{ aws_account_id }}:role/ansible_lambda_role'
+      - kms:CreateAlias
+      - kms:CreateGrant
+      - kms:DeleteAlias
+      - kms:DescribeKey
+      - kms:DisableKey
+      - kms:DisableKeyRotation
+      - kms:EnableKey
+      - kms:EnableKeyRotation
+      - kms:GetKeyPolicy
+      - kms:GetKeyRotationStatus
+      - kms:GetPublicKey
+      - kms:ListAliases
+      - kms:ListGrants
+      - kms:ListKeyPolicies
+      - kms:ListKeys
+      - kms:ListResourceTags
+      - kms:ListRetirableGrants
+      - kms:PutKeyPolicy
+      - kms:RetireGrant
+      - kms:ScheduleKeyDeletion
+      - kms:TagResource
+      - kms:UntagResource
+      - kms:UpdateGrant
+      - kms:UpdateKeyDescription
+    Resource: "*"
 
-  - Sid: AllowACMRestrictable
+  - Sid: AllowResourceRestrictedActionsWhichIncurNoFees
     Effect: Allow
     Action:
       - acm:DescribeCertificate
       - acm:GetCertificate
       - acm:AddTagsToCertificate
       - acm:DeleteCertificate
+      - iam:AddRoleToInstanceProfile
+      - iam:CreateInstanceProfile
+      - iam:CreateRole
+      - iam:DeleteInstanceProfile
+      - iam:DeleteRole
+      - iam:GetInstanceProfile
+      - iam:ListInstanceProfilesForRole
+      - iam:PassRole
+      - iam:RemoveRoleFromInstanceProfile
+      - sts:AssumeRole
     Resource:
       - 'arn:aws:acm:{{ aws_region }}:{{ aws_account_id }}:certificate/*'
+      - 'arn:aws:iam::{{ aws_account_id }}:instance-profile/ansible-test-*'
+      - 'arn:aws:iam::{{ aws_account_id }}:role/ansible-test-*'
 
   # This allows AWS Services to autmatically create their Default Service Linked Roles
   # These have fixed policies and can only be assumed by the service itself.

diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py
@@ -324,3 +324,56 @@ def name(self):
 
     def terminate(self):
         self.client.delete_certificate(CertificateArn=self.id)
+
+
+class KMSKey(Terminator):
+    @staticmethod
+    def create(credentials):
+        def get_paginated_keys(client):
+            return client.get_paginator('list_keys').paginate().build_full_result()['Keys']
+
+        def get_key_details(client, key):
+            metadata = client.describe_key(KeyId=key['KeyId'])['KeyMetadata']
+            _aliases = client.list_aliases(KeyId=key['KeyId'])['Aliases']
+            aliases = []
+            for alias in _aliases:
+                aliases.append(alias['AliasName'])
+            metadata['Aliases'] = aliases
+            return metadata
+
+        def get_detailed_keys(client):
+            detailed_keys = []
+            for key in get_paginated_keys(client):
+                metadata = get_key_details(client, key)
+                if metadata:
+                    detailed_keys.append(metadata)
+            return detailed_keys
+
+        return Terminator._create(credentials, KMSKey, 'kms', get_detailed_keys)
+
+    @property
+    def ignore(self):
+        # The key is already in a 'pending deletion' state, and doesn't need
+        # anything more done to it.
+        if self.instance['KeyState'] == 'PendingDeletion':
+            return True
+        # Don't try deleting the AWS managed keys (they're not charged for)
+        for alias in self.instance['Aliases']:
+            if alias.startswith('alias/aws/'):
+                return True
+        return False
+
+    @property
+    def created_time(self):
+        return self.instance['CreationDate']
+
+    @property
+    def id(self):
+        return self.instance['KeyId']
+
+    @property
+    def name(self):
+        return self.instance['Aliases']
+
+    def terminate(self):
+        self.client.schedule_key_deletion(KeyId=self.id, PendingWindowInDays=7)
diff --git a/hacking/aws_config/test_policies/security-services.yaml b/hacking/aws_config/test_policies/security-services.yaml
@@ -28,33 +28,6 @@ Statement:
       - iam:ListServerCertificates
       - iam:UpdateServerCertificate
       - iam:UploadServerCertificate
-      # Because KMS CMKs are assigned a random UUID we can't apply Resource
-      # restrictions at the IAM policy level
-      - kms:CancelKeyDeletion
-      - kms:CreateAlias
-      - kms:CreateGrant
-      - kms:CreateKey
-      - kms:DeleteAlias
-      - kms:DescribeKey
-      - kms:DisableKey
-      - kms:EnableKey
-      - kms:GenerateRandom
-      - kms:GetKeyPolicy
-      - kms:GetKeyRotationStatus
-      - kms:GetPublicKey
-      - kms:ListAliases
-      - kms:ListGrants
-      - kms:ListKeyPolicies
-      - kms:ListKeys
-      - kms:ListResourceTags
-      - kms:ListRetirableGrants
-      - kms:PutKeyPolicy
-      - kms:RetireGrant
-      - kms:ScheduleKeyDeletion
-      - kms:TagResource
-      - kms:UntagResource
-      - kms:UpdateGrant
-      - kms:UpdateKeyDescription
       - waf:DeleteLoggingConfiguration
       - waf:DeletePermissionPolicy
       - waf:GetLoggingConfiguration