Example #1
0
    def test_kms_post_finding(self):
        factory = self.replay_flight_data('test_kms_post_finding')
        p = self.load_policy({
            'name': 'kms',
            'resource': 'aws.kms',
            'actions': [
                {'type': 'post-finding',
                 'types': [
                     'Software and Configuration Checks/OrgStandard/abc-123']}]},
            session_factory=factory, config={'region': 'us-west-2'})

        resources = p.resource_manager.get_resources([
            'arn:aws:kms:us-west-2:644160558196:alias/c7n-test'])
        rfinding = p.resource_manager.actions[0].format_resource(
            resources[0])
        self.maxDiff = None
        rfinding['Details']['AwsKmsKey'].pop('CreationDate')
        self.assertEqual(
            rfinding,
            {'Details': {'AwsKmsKey': {
                'KeyId': '44d25a5c-7efa-44ed-8436-b9511ea921b3',
                'KeyManager': 'CUSTOMER',
                'KeyState': 'Enabled',
                'Origin': 'AWS_KMS'}},
             'Id': 'arn:aws:kms:us-west-2:644160558196:alias/44d25a5c-7efa-44ed-8436-b9511ea921b3',
             'Partition': 'aws',
             'Region': 'us-west-2',
             'Type': 'AwsKmsKey'})

        shape_validate(
            rfinding['Details']['AwsKmsKey'], 'AwsKmsKeyDetails', 'securityhub')
Example #2
0
 def test_sns_post_finding(self):
     factory = self.replay_flight_data('test_sns_post_finding')
     p = self.load_policy(
         {
             'name':
             'sns',
             'resource':
             'aws.sns',
             'actions': [{
                 'type':
                 'post-finding',
                 'types':
                 ['Software and Configuration Checks/OrgStandard/abc-123']
             }]
         },
         session_factory=factory,
         config={'region': 'us-west-2'})
     resources = p.resource_manager.get_resources(
         ['arn:aws:sns:us-west-2:644160558196:config-topic'])
     rfinding = p.resource_manager.actions[0].format_resource(resources[0])
     self.assertEqual(
         rfinding, {
             'Details': {
                 'AwsSnsTopic': {
                     'Owner': '644160558196',
                     'TopicName': 'config-topic'
                 }
             },
             'Id': 'arn:aws:sns:us-west-2:644160558196:config-topic',
             'Partition': 'aws',
             'Region': 'us-west-2',
             'Type': 'AwsSnsTopic'
         })
     shape_validate(rfinding['Details']['AwsSnsTopic'],
                    'AwsSnsTopicDetails', 'securityhub')
Example #3
0
    def test_post_finding_build(self):
        factory = self.replay_flight_data('test_codebuild_post_finding')
        p = self.load_policy({
            'name': 'codebuild',
            'resource': 'aws.codebuild',
            'actions': [
                {'type': 'post-finding',
                 'types': [
                     'Software and Configuration Checks/OrgStandard/abc-123']}]},
            session_factory=factory, config={'region': 'us-east-2'})
        builds = p.resource_manager.resources()
        self.assertEqual(len(builds), 1)
        self.maxDiff = None
        rfinding = p.resource_manager.actions[0].format_resource(builds[0])
        self.assertEqual(
            rfinding,
            {'Details': {
                'AwsCodeBuildProject': {
                    'EncryptionKey': 'arn:aws:kms:us-east-2:644160558196:alias/aws/s3',
                    'Environment': {'ImagePullCredentialsType': 'CODEBUILD',
                                    'Type': 'LINUX_CONTAINER'},
                    'Name': 'custodian',
                    'ServiceRole': 'arn:aws:iam::644160558196:role/service-role/codebuild-test-service-role',  # noqa
                    'Source': {'Location': 'https://github.com/kapilt/cloud-custodian',
                               'Type': 'GITHUB'}}},
             'Id': 'arn:aws:codebuild:us-east-2:644160558196:project/custodian',
             'Partition': 'aws',
             'Region': 'us-east-2',
             'Type': 'AwsCodeBuildProject'})

        shape_validate(
            rfinding['Details']['AwsCodeBuildProject'],
            'AwsCodeBuildProjectDetails',
            'securityhub')
Example #4
0
    def test_sqs_post_finding(self):
        factory = self.replay_flight_data('test_sqs_post_finding')
        p = self.load_policy({
            'name': 'sqs',
            'resource': 'aws.sqs',
            'actions': [
                {'type': 'post-finding',
                 'types': [
                     'Software and Configuration Checks/OrgStandard/abc-123']}]},
            session_factory=factory, config={'region': 'us-west-2'})
        queues = p.resource_manager.get_resources([
            'test_sqs_modify_policy_add_remove_statements'])
        post_finding = p.resource_manager.actions[0]
        rfinding = post_finding.format_resource(queues[0])

        assert rfinding == {'Details': {
            'AwsSqsQueue': {
                'KmsDataKeyReusePeriodSeconds': 300,
                'KmsMasterKeyId': 'alias/aws/sqs',
                'QueueName': 'test_sqs_modify_policy_add_remove_statements'}},
            'Id': 'arn:aws:sqs:us-west-2:644160558196:test_sqs_modify_policy_add_remove_statements',
            'Partition': 'aws',
            'Region': 'us-west-2',
            'Type': 'AwsSqsQueue'}
        shape_validate(
            rfinding['Details']['AwsSqsQueue'],
            'AwsSqsQueueDetails',
            'securityhub',
        )
Example #5
0
 def test_post_finding_es(self):
     factory = self.replay_flight_data('test_elasticsearch_post_finding')
     p = self.load_policy(
         {
             'name':
             'es-post',
             'resource':
             'aws.elasticsearch',
             'actions': [{
                 'type':
                 'post-finding',
                 'types':
                 ['Software and Configuration Checks/OrgStandard/abc-123']
             }]
         },
         session_factory=factory,
         config={'region': 'us-west-2'})
     resources = p.resource_manager.resources()
     self.maxDiff = None
     self.assertEqual(len(resources), 1)
     fresource = p.resource_manager.actions[0].format_resource(resources[0])
     self.assertEqual(
         fresource['Details']['AwsElasticsearchDomain'],
         {
             'AccessPolicies':
             '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"*"},"Action":"es:*","Resource":"arn:aws:es:us-west-2:644160558196:domain/devx/*"}]}',  # noqa
             'DomainEndpointOptions': {
                 'EnforceHTTPS': True,
                 'TLSSecurityPolicy': 'Policy-Min-TLS-1-0-2019-07'
             },
             'DomainId': '644160558196/devx',
             'DomainName': 'devx',
             'Endpoints': {
                 'vpc':
                 'vpc-devx-4j4l2ateukiwrnnxgbowppjt64.us-west-2.es.amazonaws.com'
             },
             'ElasticsearchVersion': '7.4',
             'EncryptionAtRestOptions': {
                 'Enabled':
                 True,
                 'KmsKeyId':
                 'arn:aws:kms:us-west-2:644160558196:key/9b776c6e-0a40-45d0-996b-707018677fe9'  # noqa
             },
             'NodeToNodeEncryptionOptions': {
                 'Enabled': True
             },
             'VPCOptions': {
                 'AvailabilityZones': ['us-west-2b'],
                 'SecurityGroupIds': ['sg-0eecc076'],
                 'SubnetIds': ['subnet-63c97615'],
                 'VPCId': 'vpc-4a9ff72e'
             }
         })
     shape_validate(fresource['Details']['AwsElasticsearchDomain'],
                    'AwsElasticsearchDomainDetails', 'securityhub')
Example #6
0
    def test_asg_post_finding_format(self):
        factory = self.replay_flight_data('test_asg_mark_for_op')
        p = self.load_policy(
            {
                'name':
                'asg-post',
                'resource':
                'aws.asg',
                'actions': [{
                    'type':
                    'post-finding',
                    'types':
                    ['Software and Configuration Checks/OrgStandard/abc-123']
                }]
            },
            session_factory=factory)

        resources = p.resource_manager.resources()
        rfinding = p.resource_manager.actions[0].format_resource(resources[0])
        self.maxDiff = None
        self.assertEqual(
            rfinding,
            {
                'Details': {
                    'AwsAutoScalingAutoScalingGroup': {
                        'CreatedTime': '2016-05-16T18:31:32.276000+00:00',
                        'HealthCheckGracePeriod': 300,
                        'HealthCheckType': 'EC2',
                        'LaunchConfigurationName': 'CustodianASGTestCopyCopy',
                        'LoadBalancerNames': []
                    }
                },
                'Id':
                'arn:aws:autoscaling:us-west-2:619193117841:autoScalingGroup:650754f5-21d3-409f-b43a-fffdeb22910d:autoScalingGroupName/CustodianASG',  # noqa
                'Partition': 'aws',
                'Region': 'us-east-1',
                'Tags': {
                    'Platform':
                    'ubuntu',
                    'custodian_action':
                    ('AutoScaleGroup does not meet org tag policy: '
                     'suspend@2016/05/21')
                },
                'Type': 'AwsAutoScalingAutoScalingGroup'
            })

        shape_validate(rfinding['Details']['AwsAutoScalingAutoScalingGroup'],
                       'AwsAutoScalingAutoScalingGroupDetails', 'securityhub')
Example #7
0
 def test_volume_post_finding(self):
     factory = self.replay_flight_data('test_ebs_snapshot')
     p = self.load_policy(
         {
             'name':
             'vol-finding',
             'resource':
             'aws.ebs',
             'actions': [{
                 'type':
                 'post-finding',
                 'types':
                 ['Software and Configuration Checks/OrgStandard/abc-123']
             }]
         },
         session_factory=factory)
     resources = p.resource_manager.resources()
     rfinding = p.resource_manager.actions[0].format_resource(resources[0])
     self.maxDiff = None
     self.assertEqual(
         rfinding, {
             'Details': {
                 'AwsEc2Volume': {
                     'Attachments': [{
                         'AttachTime': '2017-03-28T14:55:28+00:00',
                         'DeleteOnTermination': True,
                         'InstanceId': 'i-0a0b51bcf11a8cdfb',
                         'Status': 'attached'
                     }],
                     'CreateTime':
                     '2017-03-28T14:55:28.486000+00:00',
                     'Size':
                     8,
                     'SnapshotId':
                     'snap-037f1f9e6c8ea4d65'
                 }
             },
             'Id':
             'arn:aws:ec2:us-east-1:644160558196:volume/vol-01adbb6a4f175941d',
             'Partition': 'aws',
             'Region': 'us-east-1',
             'Type': 'AwsEc2Volume'
         })
     shape_validate(rfinding['Details']['AwsEc2Volume'],
                    'AwsEc2VolumeDetails', 'securityhub')
Example #8
0
 def test_validate(self):
     self.assertRaises(PolicyValidationError, aws.shape_validate, {'X': 1},
                       'AwsSecurityFindingFilters', 'securityhub')
     self.assertEqual(
         aws.shape_validate(
             {'Id': [{
                 'Value': 'abc',
                 'Comparison': 'EQUALS'
             }]}, 'AwsSecurityFindingFilters', 'securityhub'), None)
Example #9
0
 def test_post_finding(self):
     factory = self.replay_flight_data('test_lambda_post_finding')
     p = self.load_policy({
         'name': 'lambda',
         'resource': 'aws.lambda',
         'actions': [
             {'type': 'post-finding',
              'types': [
                  'Software and Configuration Checks/OrgStandard/abc-123']}]},
         session_factory=factory, config={'region': 'us-west-2'})
     functions = p.resource_manager.get_resources([
         'custodian-ec2-ssm-query'])
     rfinding = p.resource_manager.actions[0].format_resource(functions[0])
     self.maxDiff = None
     self.assertEqual(
         rfinding,
         {'Details': {'AwsLambdaFunction': {
             'CodeSha256': 'Pq32lM46RbVovW/Abh14XfrFHIeUM/cAEC51fwkf+tk=',
             'Code': {
                 'S3Bucket': 'awslambda-us-west-2-tasks',
                 'S3Key': 'snapshots/644160558196/custodian-ec2-ssm-query-c3bed681-aa99-4bb2-a155-2f5897de20d2',  # noqa
                 'S3ObjectVersion': 'Nupr9wOmyG9eZbta8NGFUV9lslQ5NI7m'},
             'Handler': 'custodian_policy.run',
             'LastModified': '2019-07-29T22:37:20.844+0000',
             'MemorySize': 512,
             'RevisionId': '8bbaf510-0ae1-40a5-8980-084bebd3f9c6',
             'Role': 'arn:aws:iam::644160558196:role/CloudCustodianRole',
             'Runtime': 'python3.7',
             'Timeout': 900,
             'TracingConfig': {'Mode': 'PassThrough'},
             'Version': '$LATEST',
             'VpcConfig': {'SecurityGroupIds': [],
                           'SubnetIds': []}}},
          'Id': 'arn:aws:lambda:us-west-2:644160558196:function:custodian-ec2-ssm-query',
          'Partition': 'aws',
          'Region': 'us-west-2',
          'Tags': {'custodian-info': 'mode=config-rule:version=0.8.44.2'},
          'Type': 'AwsLambdaFunction'})
     shape_validate(
         rfinding['Details']['AwsLambdaFunction'],
         'AwsLambdaFunctionDetails', 'securityhub')
Example #10
0
 def test_validate(self):
     self.assertRaises(
         PolicyValidationError,
         aws.shape_validate,
         {'X': 1},
         'AwsSecurityFindingFilters',
         'securityhub')
     self.assertEqual(
         aws.shape_validate(
             {'Id': [{'Value': 'abc', 'Comparison': 'EQUALS'}]},
             'AwsSecurityFindingFilters',
             'securityhub'),
         None)
Example #11
0
 def validate(self):
     query = self.data.get('query')
     if query:
         from c7n.resources import aws
         aws.shape_validate(query, self.query_shape, 'securityhub')
Example #12
0
 def validate(self):
     query = self.data.get('query')
     if query:
         aws.shape_validate(query, self.query_shape, 'securityhub')
Example #13
0
 def validate(self):
     query = self.data.get('query')
     if query:
         aws.shape_validate(query, self.query_shape, 'securityhub')
Example #14
0
 def validate(self):
     query = self.data.get('query')
     if query:
         from c7n.resources import aws
         aws.shape_validate(query, self.query_shape, 'securityhub')