def test_cwe_schedule(self): session_factory = self.replay_flight_data('test_cwe_schedule', zdata=True) p = Policy( { 'resource': 'ec2', 'name': 'periodic-ec2-checker', 'mode': { 'type': 'periodic', 'schedule': 'rate(1 day)' } }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) self.assert_items( result, { 'FunctionName': 'maid-periodic-ec2-checker', 'Handler': 'maid_policy.run', 'MemorySize': 512, 'Runtime': 'python2.7', 'Timeout': 60 }) events = session_factory().client('events') result = events.list_rules(NamePrefix="maid-periodic-ec2-checker") self.assert_items( result['Rules'][0], { "State": "ENABLED", "ScheduleExpression": "rate(1 day)", "Name": "maid-periodic-ec2-checker" }) mgr.remove(pl)
def xtest_cwe_update_no_change(self): session_factory = self.replay_flight_data('test_cwe_update', zdata=True) p = Policy( { 'resource': 's3', 'name': 's3-bucket-policy', 'mode': { 'type': 'cloudtrail', 'events': ["CreateBucket"], }, 'filters': [{ 'type': 'missing-policy-statement', 'statement_ids': ['RequireEncryptedPutObject'] }], 'actions': ['no-op'] }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) output = self.capture_logging('custodian.lambda', level=logging.DEBUG) result2 = mgr.publish(PolicyLambda(p), 'Dev', role=self.role) self.assertEqual(len(output.getvalue().strip().split('\n')), 1) self.assertEqual(result['FunctionName'], result2['FunctionName']) mgr.remove(pl)
def test_cwe_schedule(self): session_factory = self.replay_flight_data( 'test_cwe_schedule', zdata=True) p = Policy({ 'resource': 'ec2', 'name': 'periodic-ec2-checker', 'mode': { 'type': 'periodic', 'schedule': 'rate(1 day)' } }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) self.assert_items( result, {'FunctionName': 'maid-periodic-ec2-checker', 'Handler': 'maid_policy.run', 'MemorySize': 512, 'Runtime': 'python2.7', 'Timeout': 60}) events = session_factory().client('events') result = events.list_rules(NamePrefix="maid-periodic-ec2-checker") self.assert_items( result['Rules'][0], { "State": "ENABLED", "ScheduleExpression": "rate(1 day)", "Name": "maid-periodic-ec2-checker"}) mgr.remove(pl)
def test_cwe_asg_instance(self): session_factory = self.replay_flight_data('test_cwe_asg', zdata=True) p = Policy({ 'resource': 'asg', 'name': 'asg-spin-detector', 'mode': { 'type': 'asg-instance-state', 'events': ['launch-failure']} }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) self.assert_items( result, {'FunctionName': 'maid-asg-spin-detector', 'Handler': 'maid_policy.run', 'MemorySize': 512, 'Runtime': 'python2.7', 'Timeout': 60}) events = session_factory().client('events') result = events.list_rules(NamePrefix="maid-asg-spin-detector") self.assert_items( result['Rules'][0], {"State": "ENABLED", "Name": "maid-asg-spin-detector"}) self.assertEqual( json.loads(result['Rules'][0]['EventPattern']), {"source": ["aws.autoscaling"], "detail-type": ["EC2 Instance Launch Unsuccessful"]}) mgr.remove(pl)
def test_cwe_trail(self): session_factory = self.replay_flight_data('test_cwe_trail', zdata=True) p = Policy( { 'resource': 's3', 'name': 's3-bucket-policy', 'mode': { 'type': 'cloudtrail', 'events': ["CreateBucket"], }, 'filters': [{ 'type': 'missing-policy-statement', 'statement_ids': ['RequireEncryptedPutObject'] }], 'actions': ['no-op'] }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) events = pl.get_events(session_factory) self.assertEqual(len(events), 1) event = events.pop() self.assertEqual( json.loads(event.render_event_pattern()), { u'detail': { u'eventName': [u'CreateBucket'], u'eventSource': [u's3.amazonaws.com'] }, u'detail-type': ['AWS API Call via CloudTrail'] }) self.assert_items( result, { 'Description': 'cloud-custodian lambda policy', 'FunctionName': 'custodian-s3-bucket-policy', 'Handler': 'custodian_policy.run', 'MemorySize': 512, 'Runtime': 'python2.7', 'Timeout': 60 }) mgr.remove(pl)
def test_cwe_instance(self): session_factory = self.replay_flight_data('test_cwe_instance', zdata=True) p = Policy( { 'resource': 's3', 'name': 'ec2-encrypted-vol', 'mode': { 'type': 'ec2-instance-state', 'events': ['pending'] } }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) self.assert_items( result, { 'Description': 'cloud-maid lambda policy', 'FunctionName': 'maid-ec2-encrypted-vol', 'Handler': 'maid_policy.run', 'MemorySize': 512, 'Runtime': 'python2.7', 'Timeout': 60 }) events = session_factory().client('events') result = events.list_rules(NamePrefix="maid-ec2-encrypted-vol") self.assert_items(result['Rules'][0], { "State": "ENABLED", "Name": "maid-ec2-encrypted-vol" }) self.assertEqual( json.loads(result['Rules'][0]['EventPattern']), { "source": ["aws.ec2"], "detail": { "state": ["pending"] }, "detail-type": ["EC2 Instance State-change Notification"] }) mgr.remove(pl)
def xtest_cwe_update_no_change(self): session_factory = self.replay_flight_data( 'test_cwe_update', zdata=True) p = Policy({ 'resource': 's3', 'name': 's3-bucket-policy', 'mode': { 'type': 'cloudtrail', 'events': ["CreateBucket"], }, 'filters': [ {'type': 'missing-policy-statement', 'statement_ids': ['RequireEncryptedPutObject']}], 'actions': ['no-op'] }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) output = self.capture_logging('custodian.lambda', level=logging.DEBUG) result2 = mgr.publish(PolicyLambda(p), 'Dev', role=self.role) self.assertEqual(len(output.getvalue().strip().split('\n')), 1) self.assertEqual(result['FunctionName'], result2['FunctionName']) mgr.remove(pl)
def test_cwe_trail(self): session_factory = self.replay_flight_data('test_cwe_trail', zdata=True) p = Policy({ 'resource': 's3', 'name': 's3-bucket-policy', 'mode': { 'type': 'cloudtrail', 'events': ["CreateBucket"], }, 'filters': [ {'type': 'missing-policy-statement', 'statement_ids': ['RequireEncryptedPutObject']}], 'actions': ['no-op'] }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) events = pl.get_events(session_factory) self.assertEqual(len(events), 1) event = events.pop() self.assertEqual( json.loads(event.render_event_pattern()), {u'detail': {u'eventName': [u'CreateBucket'], u'eventSource': [u'aws.s3']}, u'detail-type': ['AWS API Call via CloudTrail']}) self.assert_items( result, {'Description': 'cloud-custodian lambda policy', 'FunctionName': 'custodian-s3-bucket-policy', 'Handler': 'custodian_policy.run', 'MemorySize': 512, 'Runtime': 'python2.7', 'Timeout': 60}) mgr.remove(pl)
def test_cwe_instance(self): session_factory = self.replay_flight_data( 'test_cwe_instance', zdata=True) p = Policy({ 'resource': 's3', 'name': 'ec2-encrypted-vol', 'mode': { 'type': 'ec2-instance-state', 'events': ['pending']} }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) self.assert_items( result, {'Description': 'cloud-maid lambda policy', 'FunctionName': 'maid-ec2-encrypted-vol', 'Handler': 'maid_policy.run', 'MemorySize': 512, 'Runtime': 'python2.7', 'Timeout': 60}) events = session_factory().client('events') result = events.list_rules(NamePrefix="maid-ec2-encrypted-vol") self.assert_items( result['Rules'][0], {"State": "ENABLED", "Name": "maid-ec2-encrypted-vol"}) self.assertEqual( json.loads(result['Rules'][0]['EventPattern']), {"source": ["aws.ec2"], "detail": { "state": ["pending"]}, "detail-type": ["EC2 Instance State-change Notification"]}) mgr.remove(pl)