def create_kms

def create_kms_key()

in security/guardduty/index.py [0:0]
92 lines of code
2 McCabe index (conditional complexity)

def create_kms_key(session, region):
    """
    Create the KMS key required for GuardDuty publishing destination
    in the specified region
    :param session: STS sesion of the GuardDuty master account
    :param region: the region wherre GuardDuty master to be enabled
    :return: arn of the KMS key to be crreated
    """
    kms_client = session.client('kms', region_name=region)
    key_alias = 'alias/controltower/guardduty'

    try:
        key_response = kms_client.describe_key(KeyId=key_alias)
        logger.info(f'Existing key {key_alias} found.')
        return key_response['KeyMetadata']['Arn']
    except Exception as e:
        logger.info(f'Creating new encryption {key_alias}key')
        key_policy = {
            'Version': '2012-10-17',
            'Id': 'auto-controltower-guardduty',
            'Statement': [
                {
                    'Sid': 'Enable IAM User Permissions',
                    'Effect': 'Allow',
                    'Principal': {
                        'AWS': f'arn:aws:iam::{gdmaster_account_number}:root'
                    },
                    'Action': 'kms:*',
                    'Resource': '*'
                },
                {
                    'Sid': 'Allow access for Key Administrators',
                    'Effect': 'Allow',
                    'Principal': {
                        'AWS': f'arn:aws:iam::{gdmaster_account_number}'
                        ':role/AWSControlTowerExecution'
                    },
                    'Action': [
                        'kms:Create*',
                        'kms:Describe*',
                        'kms:Enable*',
                        'kms:List*',
                        'kms:Put*',
                        'kms:Update*',
                        'kms:Revoke*',
                        'kms:Disable*',
                        'kms:Get*',
                        'kms:Delete*',
                        'kms:TagResource',
                        'kms:UntagResource',
                        'kms:ScheduleKeyDeletion',
                        'kms:CancelKeyDeletion'
                    ],
                    'Resource': '*'
                },
                {
                    'Sid': 'Allow use of the key',
                    'Effect': 'Allow',
                    'Principal': {
                        'Service': 'guardduty.amazonaws.com'
                    },
                    'Action': [
                        'kms:Encrypt',
                        'kms:Decrypt',
                        'kms:ReEncrypt*',
                        'kms:GenerateDataKey*',
                        'kms:DescribeKey'
                    ],
                    'Resource': '*'
                },
                {
                    'Sid': 'Allow attachment of persistent resources',
                    'Effect': 'Allow',
                    'Principal': {
                        'Service': 'guardduty.amazonaws.com'
                    },
                    'Action': [
                        'kms:CreateGrant',
                        'kms:ListGrants',
                        'kms:RevokeGrant'
                    ],
                    'Resource': '*',
                    'Condition': {
                        'Bool': {
                            'kms:GrantIsForAWSResource': 'true'
                        }
                    }
                }
            ]
        }

        key_policy = json.dumps(key_policy)
        key_result = kms_client.create_key(
            Policy=key_policy,
            Description='The key to encrypt/decrypt GuardDuty findings'
        )
        kms_client.create_alias(
            AliasName=key_alias,
            TargetKeyId=key_result['KeyMetadata']['KeyId']
        )
        return key_result['KeyMetadata']['Arn']