def test_cwe_schedule(self):
session_factory = self.replay_flight_data('test_cwe_schedule',
zdata=True)
p = Policy(
{
'resource': 'ec2',
'name': 'periodic-ec2-checker',
'mode': {
'type': 'periodic',
'schedule': 'rate(1 day)'
}
}, Config.empty())
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
result = mgr.publish(pl, 'Dev', role=self.role)
self.assert_items(
result, {
'FunctionName': 'maid-periodic-ec2-checker',
'Handler': 'maid_policy.run',
'MemorySize': 512,
'Runtime': 'python2.7',
'Timeout': 60
})
events = session_factory().client('events')
result = events.list_rules(NamePrefix="maid-periodic-ec2-checker")
self.assert_items(
result['Rules'][0], {
"State": "ENABLED",
"ScheduleExpression": "rate(1 day)",
"Name": "maid-periodic-ec2-checker"
})
mgr.remove(pl)
def get_metrics(self, start, end, period):
from c7n.mu import LambdaManager, PolicyLambda
manager = LambdaManager(self.policy.session_factory)
values = manager.metrics([PolicyLambda(self.policy)], start, end,
period)[0]
values.update(super(LambdaMode, self).get_metrics(start, end, period))
return values
def test_cwe_security_hub_action(self):
factory = self.replay_flight_data('test_mu_cwe_sechub_action')
p = self.load_policy(
{
'name': 'sechub',
'resource': 'account',
'mode': {
'type': 'hub-action'
}
},
session_factory=factory,
config={'account_id': ACCOUNT_ID})
mu_policy = PolicyLambda(p)
events = mu_policy.get_events(factory)
self.assertEqual(len(events), 1)
hub_action = events.pop()
self.assertEqual(
json.loads(hub_action.cwe.render_event_pattern()), {
'resources': [
'arn:aws:securityhub:us-east-1:644160558196:action/custom/sechub'
],
'source': ['aws.securityhub'],
'detail-type': [
'Security Hub Findings - Custom Action',
'Security Hub Insight Results'
]
})
hub_action.cwe = cwe = mock.Mock(CloudWatchEventSource)
cwe.get.return_value = False
cwe.update.return_value = True
cwe.add.return_value = True
self.assertEqual(repr(hub_action), "<SecurityHub Action sechub>")
self.assertEqual(
hub_action._get_arn(),
"arn:aws:securityhub:us-east-1:644160558196:action/custom/sechub")
self.assertEqual(hub_action.get(mu_policy.name), {
'event': False,
'action': None
})
hub_action.add(mu_policy)
self.assertEqual(
{
'event': False,
'action': {
'ActionTargetArn': ('arn:aws:securityhub:us-east-1:'
'644160558196:action/custom/sechub'),
'Name':
'Account sechub',
'Description':
'sechub'
}
}, hub_action.get(mu_policy.name))
hub_action.update(mu_policy)
hub_action.remove(mu_policy)
self.assertEqual(hub_action.get(mu_policy.name), {
'event': False,
'action': None
})
def create_a_lambda(self, flight, **extra):
session_factory = self.replay_flight_data(flight, zdata=True)
mode = {
"type": "config-rule",
"role": "arn:aws:iam::644160558196:role/custodian-mu"
}
mode.update(extra)
p = self.load_policy(
{
"resource": "s3",
"name": "hello-world",
"actions": ["no-op"],
"mode": mode
},
session_factory=session_factory)
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
def cleanup():
mgr.remove(pl)
if self.recording:
time.sleep(60)
self.addCleanup(cleanup)
return mgr, mgr.publish(pl)
def test_phd_mode(self):
factory = self.replay_flight_data('test_phd_event_mode')
p = self.load_policy(
{
'name': 'ec2-retire',
'resource': 'ec2',
'mode': {
'categories': ['scheduledChange'],
'events':
['AWS_EC2_PERSISTENT_INSTANCE_RETIREMENT_SCHEDULED'],
'type': 'phd'
}
},
session_factory=factory)
mode = p.get_execution_mode()
event = event_data('event-phd-ec2-retire.json')
resources = mode.run(event, None)
self.assertEqual(len(resources), 1)
p_lambda = PolicyLambda(p)
events = p_lambda.get_events(factory)
self.assertEqual(
json.loads(events[0].render_event_pattern()), {
'detail': {
'eventTypeCategory': ['scheduledChange'],
'eventTypeCode':
['AWS_EC2_PERSISTENT_INSTANCE_RETIREMENT_SCHEDULED']
},
'source': ['aws.health']
})
def test_config_defaults(self):
p = PolicyLambda(Bag({"name": "hello", "data": {"mode": {}}}))
self.maxDiff = None
self.assertEqual(
p.get_config(),
{
"DeadLetterConfig": {},
"Description": "cloud-custodian lambda policy",
"FunctionName": "custodian-hello",
"Handler": "custodian_policy.run",
"KMSKeyArn": "",
"MemorySize": 512,
"Role": "",
"Runtime": "python3.8",
"Tags": {},
"Timeout": 900,
"TracingConfig": {
"Mode": "PassThrough"
},
"VpcConfig": {
"SecurityGroupIds": [],
"SubnetIds": []
},
},
)
def test_cwe_asg_instance(self):
session_factory = self.replay_flight_data('test_cwe_asg', zdata=True)
p = Policy({
'resource': 'asg',
'name': 'asg-spin-detector',
'mode': {
'type': 'asg-instance-state',
'events': ['launch-failure']}
}, Config.empty())
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
self.addCleanup(mgr.remove, pl)
result = mgr.publish(pl, 'Dev', role=ROLE)
self.assert_items(
result,
{'FunctionName': 'custodian-asg-spin-detector',
'Handler': 'custodian_policy.run',
'MemorySize': 512,
'Runtime': 'python2.7',
'Timeout': 60})
events = session_factory().client('events')
result = events.list_rules(NamePrefix="custodian-asg-spin-detector")
self.assert_items(
result['Rules'][0],
{"State": "ENABLED",
"Name": "custodian-asg-spin-detector"})
self.assertEqual(
json.loads(result['Rules'][0]['EventPattern']),
{"source": ["aws.autoscaling"],
"detail-type": ["EC2 Instance Launch Unsuccessful"]})
def test_mu_metrics(self):
session_factory = self.replay_flight_data("test_mu_metrics")
p = Policy(
{
"resources": "s3",
"name": "s3-bucket-policy",
"resource": "s3",
"mode": {
"type": "cloudtrail",
"events": ["CreateBucket"]
},
"actions": ["no-op"],
},
Config.empty(),
)
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
end = datetime.utcnow()
start = end - timedelta(1)
results = mgr.metrics([pl], start, end, 3600)
self.assertEqual(
results,
[{
"Durations": [],
"Errors": [],
"Throttles": [],
"Invocations": []
}],
)
def test_cwe_schedule(self):
session_factory = self.replay_flight_data("test_cwe_schedule", zdata=True)
p = self.load_policy(
{
"resource": "ec2",
"name": "periodic-ec2-checker",
"mode": {"type": "periodic", "schedule": "rate(1 day)"},
}, session_factory=session_factory)
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
self.addCleanup(mgr.remove, pl)
result = mgr.publish(pl, "Dev", role=ROLE)
self.assert_items(
result,
{
"FunctionName": "custodian-periodic-ec2-checker",
"Handler": "custodian_policy.run",
"MemorySize": 512,
"Runtime": "python2.7",
"Timeout": 60,
},
)
events = session_factory().client("events")
result = events.list_rules(NamePrefix="custodian-periodic-ec2-checker")
self.assert_items(
result["Rules"][0],
{
"State": "ENABLED",
"ScheduleExpression": "rate(1 day)",
"Name": "custodian-periodic-ec2-checker",
},
)
def test_phd_mode_sans_details(self):
factory = self.replay_flight_data('test_phd_event_mode')
p = self.load_policy(
{'name': 'ec2-retire',
'resource': 'account',
'mode': {'type': 'phd'}}, session_factory=factory)
p_lambda = PolicyLambda(p)
events = p_lambda.get_events(factory)
self.assertEqual(
json.loads(events[0].render_event_pattern()),
{'source': ['aws.health']}
)
def test_config_rule_provision(self):
session_factory = self.replay_flight_data('test_config_rule')
p = Policy({
'resource': 'security-group',
'name': 'sg-modified',
'mode': {'type': 'config-rule'},
}, Config.empty())
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
result = mgr.publish(pl, 'Dev', role=self.role)
self.assertEqual(result['FunctionName'], 'custodian-sg-modified')
self.addCleanup(mgr.remove, pl)
def update_a_lambda(self, mgr, **config):
mode = {
"type": "config-rule", "role": "arn:aws:iam::644160558196:role/custodian-mu"
}
mode.update(config)
p = self.load_policy({
"resource": "s3",
"name": "hello-world",
"actions": ["no-op"],
"mode": mode,
})
pl = PolicyLambda(p)
return mgr.publish(pl)
def update_a_lambda(self, mgr, **config):
mode = {
'type': 'config-rule',
'role':'arn:aws:iam::644160558196:role/custodian-mu'}
mode.update(config)
p = Policy({
'resource': 's3',
'name': 'hello-world',
'actions': ['no-op'],
'mode': mode
}, Config.empty())
pl = PolicyLambda(p)
return mgr.publish(pl)
def test_cwe_instance(self):
session_factory = self.replay_flight_data("test_cwe_instance",
zdata=True)
p = self.load_policy(
{
"resource": "s3",
"name": "ec2-encrypted-vol",
"mode": {
"type": "ec2-instance-state",
"events": ["pending"]
}
},
session_factory=session_factory)
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
self.addCleanup(mgr.remove, pl)
result = mgr.publish(pl, "Dev", role=ROLE)
self.assert_items(
result,
{
"Description": "cloud-custodian lambda policy",
"FunctionName": "custodian-ec2-encrypted-vol",
"Handler": "custodian_policy.run",
"MemorySize": 512,
"Runtime": "python2.7",
"Timeout": 60,
},
)
events = session_factory().client("events")
result = events.list_rules(NamePrefix="custodian-ec2-encrypted-vol")
self.assert_items(
result["Rules"][0],
{
"State": "ENABLED",
"Name": "custodian-ec2-encrypted-vol"
},
)
self.assertEqual(
json.loads(result["Rules"][0]["EventPattern"]),
{
"source": ["aws.ec2"],
"detail": {
"state": ["pending"]
},
"detail-type": ["EC2 Instance State-change Notification"],
},
)
def test_cwe_trail(self):
session_factory = self.replay_flight_data("test_cwe_trail", zdata=True)
p = self.load_policy(
{
"resource":
"s3",
"name":
"s3-bucket-policy",
"mode": {
"type": "cloudtrail",
"events": ["CreateBucket"]
},
"filters": [{
"type": "missing-policy-statement",
"statement_ids": ["RequireEncryptedPutObject"],
}],
"actions": ["no-op"]
},
session_factory=session_factory)
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
self.addCleanup(mgr.remove, pl)
result = mgr.publish(pl, "Dev", role=ROLE)
events = pl.get_events(session_factory)
self.assertEqual(len(events), 1)
event = events.pop()
self.assertEqual(
json.loads(event.render_event_pattern()),
{
u"detail": {
u"eventName": [u"CreateBucket"],
u"eventSource": [u"s3.amazonaws.com"],
},
u"detail-type": ["AWS API Call via CloudTrail"],
},
)
self.assert_items(
result,
{
"Description": "cloud-custodian lambda policy",
"FunctionName": "custodian-s3-bucket-policy",
"Handler": "custodian_policy.run",
"MemorySize": 512,
"Runtime": "python2.7",
"Timeout": 60,
},
)
def test_optional_packages(self):
p = Policy({
'resources': 's3',
'name': 's3-lambda-extra',
'resource': 's3',
'mode': {
'type': 'cloudtrail',
'packages': ['boto3', 'botocore'],
'events': ['CreateBucket'],
}}, Config.empty())
pl = PolicyLambda(p)
pl.archive.close()
self.assertTrue('boto3/utils.py' in pl.archive.get_filenames())
self.assertTrue('botocore/utils.py' in pl.archive.get_filenames())
def test_optional_packages(self):
data = {
"name": "s3-lambda-extra",
"resource": "s3",
"mode": {
"type": "cloudtrail",
"packages": ["boto3"],
"events": ["CreateBucket"],
},
}
p = self.load_policy(data)
pl = PolicyLambda(p)
pl.archive.close()
self.assertTrue("boto3/utils.py" in pl.archive.get_filenames())
def get_metrics(self, start, end, period):
# Avoiding runtime lambda dep, premature optimization?
from c7n.mu import PolicyLambda, LambdaManager
values = {}
# Pickup lambda specific metrics (errors, invocations, durations)
if self.is_lambda:
manager = LambdaManager(self.session_factory)
values = manager.metrics([PolicyLambda(self)], start, end,
period)[0]
metrics = ['ResourceCount']
else:
metrics = ['ResourceCount', 'ResourceTime', 'ActionTime']
default_dimensions = {
'Policy': self.name,
'ResType': self.resource_type,
'Scope': 'Policy'
}
# Support action, and filter custom metrics
for el in itertools.chain(self.resource_manager.actions,
self.resource_manager.filters):
if el.metrics:
metrics.extend(el.metrics)
session = utils.local_session(self.session_factory)
client = session.client('cloudwatch')
for m in metrics:
if isinstance(m, basestring):
dimensions = default_dimensions
else:
m, m_dimensions = m
dimensions = dict(default_dimensions)
dimensions.update(m_dimensions)
results = client.get_metric_statistics(
Namespace=DEFAULT_NAMESPACE,
Dimensions=[{
'Name': k,
'Value': v
} for k, v in dimensions.items()],
Statistics=['Sum', 'Average'],
StartTime=start,
EndTime=end,
Period=period,
MetricName=m)
values[m] = results['Datapoints']
return values
def test_config_rule_provision(self):
session_factory = self.replay_flight_data("test_config_rule")
p = Policy(
{
"resource": "security-group",
"name": "sg-modified",
"mode": {"type": "config-rule"},
},
Config.empty(),
)
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
result = mgr.publish(pl, "Dev", role=ROLE)
self.assertEqual(result["FunctionName"], "custodian-sg-modified")
self.addCleanup(mgr.remove, pl)
def create_a_lambda(self, flight, **extra):
session_factory = self.replay_flight_data(flight, zdata=True)
mode = {
'type': 'config-rule',
'role':'arn:aws:iam::644160558196:role/custodian-mu'}
mode.update(extra)
p = Policy({
'resource': 's3',
'name': 'hello-world',
'actions': ['no-op'],
'mode': mode,
}, Config.empty())
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
self.addCleanup(mgr.remove, pl)
return mgr, mgr.publish(pl)
def provision(self):
"""Provision policy as a lambda function."""
# Avoiding runtime lambda dep, premature optimization?
from c7n.mu import PolicyLambda, LambdaManager
with self.ctx:
self.log.info("Provisioning policy lambda %s", self.name)
try:
manager = LambdaManager(self.session_factory)
except ClientError:
# For cli usage by normal users, don't assume the role just use
# it for the lambda
manager = LambdaManager(
lambda assume=False: self.session_factory(assume))
return manager.publish(PolicyLambda(self),
'current',
role=self.options.assume_role)
def test_cwe_asg_instance(self):
session_factory = self.replay_flight_data("test_cwe_asg", zdata=True)
p = self.load_policy(
{
"resource": "asg",
"name": "asg-spin-detector",
"mode": {
"type": "asg-instance-state",
"events": ["launch-failure"]
},
},
session_factory=session_factory)
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
self.addCleanup(mgr.remove, pl)
result = mgr.publish(pl, "Dev", role=ROLE)
self.assert_items(
result,
{
"FunctionName": "custodian-asg-spin-detector",
"Handler": "custodian_policy.run",
"MemorySize": 512,
"Runtime": "python2.7",
"Timeout": 60,
},
)
events = session_factory().client("events")
result = events.list_rules(NamePrefix="custodian-asg-spin-detector")
self.assert_items(
result["Rules"][0],
{
"State": "ENABLED",
"Name": "custodian-asg-spin-detector"
},
)
self.assertEqual(
json.loads(result["Rules"][0]["EventPattern"]),
{
"source": ["aws.autoscaling"],
"detail-type": ["EC2 Instance Launch Unsuccessful"],
},
)
def test_optional_packages(self):
p = Policy(
{
"resources": "s3",
"name": "s3-lambda-extra",
"resource": "s3",
"mode": {
"type": "cloudtrail",
"packages": ["boto3", "botocore"],
"events": ["CreateBucket"],
},
},
Config.empty(),
)
pl = PolicyLambda(p)
pl.archive.close()
self.assertTrue("boto3/utils.py" in pl.archive.get_filenames())
self.assertTrue("botocore/utils.py" in pl.archive.get_filenames())
def test_phd_mode_account(self):
factory = self.replay_flight_data('test_phd_event_account')
p = self.load_policy(
{'name': 'ec2-retire',
'resource': 'account',
'mode': {
'categories': ['issue', 'scheduledChange'],
'statuses': ['open', 'upcoming'],
'type': 'phd'}}, session_factory=factory)
p_lambda = PolicyLambda(p)
events = p_lambda.get_events(factory)
self.assertEqual(
json.loads(events[0].render_event_pattern()),
{'detail': {
'eventTypeCategory': ['issue', 'scheduledChange']},
'source': ['aws.health']}
)
def test_config_defaults(self):
p = PolicyLambda(Bag({'name': 'hello', 'data': {'mode': {}}}))
self.maxDiff = None
self.assertEqual(
p.get_config(),
{'DeadLetterConfig': {'TargetArn': ''},
'Description': 'cloud-custodian lambda policy',
'Environment': {'Variables': {}},
'FunctionName': 'custodian-hello',
'Handler': 'custodian_policy.run',
'KMSKeyArn': '',
'MemorySize': 512,
'Role': '',
'Runtime': 'python2.7',
'Tags': {},
'Timeout': 60,
'TracingConfig': {'Mode': 'PassThrough'},
'VpcConfig': {'SecurityGroupIds': [], 'SubnetIds': []}})
def test_cwe_trail(self):
session_factory = self.replay_flight_data('test_cwe_trail', zdata=True)
p = Policy(
{
'resource':
's3',
'name':
's3-bucket-policy',
'mode': {
'type': 'cloudtrail',
'events': ["CreateBucket"],
},
'filters': [{
'type': 'missing-policy-statement',
'statement_ids': ['RequireEncryptedPutObject']
}],
'actions': ['no-op']
}, Config.empty())
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
result = mgr.publish(pl, 'Dev', role=self.role)
events = pl.get_events(session_factory)
self.assertEqual(len(events), 1)
event = events.pop()
self.assertEqual(
json.loads(event.render_event_pattern()), {
u'detail': {
u'eventName': [u'CreateBucket'],
u'eventSource': [u's3.amazonaws.com']
},
u'detail-type': ['AWS API Call via CloudTrail']
})
self.assert_items(
result, {
'Description': 'cloud-custodian lambda policy',
'FunctionName': 'custodian-s3-bucket-policy',
'Handler': 'custodian_policy.run',
'MemorySize': 512,
'Runtime': 'python2.7',
'Timeout': 60
})
mgr.remove(pl)
def test_mu_metrics(self):
session_factory = self.replay_flight_data('test_mu_metrics')
p = Policy({
'resources': 's3',
'name': 's3-bucket-policy',
'resource': 's3',
'mode': {
'type': 'cloudtrail',
'events': ['CreateBucket'],
},
'actions': ['no-op']}, Config.empty())
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
end = datetime.utcnow()
start = end - timedelta(1)
results = mgr.metrics([pl], start, end, 3600)
self.assertEqual(
results, [{'Durations': [], 'Errors': [],
'Throttles': [], 'Invocations': []}])
def test_cwe_instance(self):
session_factory = self.replay_flight_data('test_cwe_instance',
zdata=True)
p = Policy(
{
'resource': 's3',
'name': 'ec2-encrypted-vol',
'mode': {
'type': 'ec2-instance-state',
'events': ['pending']
}
}, Config.empty())
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
result = mgr.publish(pl, 'Dev', role=self.role)
self.assert_items(
result, {
'Description': 'cloud-maid lambda policy',
'FunctionName': 'maid-ec2-encrypted-vol',
'Handler': 'maid_policy.run',
'MemorySize': 512,
'Runtime': 'python2.7',
'Timeout': 60
})
events = session_factory().client('events')
result = events.list_rules(NamePrefix="maid-ec2-encrypted-vol")
self.assert_items(result['Rules'][0], {
"State": "ENABLED",
"Name": "maid-ec2-encrypted-vol"
})
self.assertEqual(
json.loads(result['Rules'][0]['EventPattern']), {
"source": ["aws.ec2"],
"detail": {
"state": ["pending"]
},
"detail-type": ["EC2 Instance State-change Notification"]
})
mgr.remove(pl)
def test_user_pattern_merge(self):
p = self.load_policy({
'name': 'ec2-retire',
'resource': 'ec2',
'mode': {
'type': 'cloudtrail',
'pattern': {
'detail': {
'userIdentity': {
'userName': [{'anything-but': 'deputy'}]}}},
'events': [{
'ids': 'responseElements.subnet.subnetId',
'source': 'ec2.amazonaws.com',
'event': 'CreateSubnet'}]}})
p_lambda = PolicyLambda(p)
events = p_lambda.get_events(None)
self.assertEqual(
json.loads(events[0].render_event_pattern()),
{'detail': {'eventName': ['CreateSubnet'],
'eventSource': ['ec2.amazonaws.com'],
'userIdentity': {'userName': [{'anything-but': 'deputy'}]}},
'detail-type': ['AWS API Call via CloudTrail']})
def provision(self):
# Avoiding runtime lambda dep, premature optimization?
from c7n.mu import PolicyLambda, LambdaManager
with self.policy.ctx:
self.policy.log.info(
"Provisioning policy lambda %s", self.policy.name)
variables = {
'account_id': self.policy.options.account_id,
'policy': self.policy.data
}
self.policy.data = self.expand_variables(variables)
try:
manager = LambdaManager(self.policy.session_factory)
except ClientError:
# For cli usage by normal users, don't assume the role just use
# it for the lambda
manager = LambdaManager(
lambda assume=False: self.policy.session_factory(assume))
return manager.publish(
PolicyLambda(self.policy), 'current',
role=self.policy.options.assume_role)
