Esempio n. 1
0
def test_sqs_config_translate(test):
    # we're using a cwe event as a config, so have to mangle to
    # config's inane format (json strings in json)
    event = event_data('sqs-discover.json')
    p = test.load_policy({
        'name': 'sqs-check',
        'resource': 'aws.sqs',
        'mode': {
            'type': 'config-rule'
        }
    })
    config = p.resource_manager.get_source('config')
    resource = config.load_resource(event['detail']['configurationItem'])
    Arn.parse(resource['QueueArn']).resource == 'config-changes'
    assert resource == {
        'CreatedTimestamp': '1602023249',
        'DelaySeconds': '0',
        'LastModifiedTimestamp': '1602023249',
        'MaximumMessageSize': '262144',
        'MessageRetentionPeriod': '345600',
        'Policy':
        '{"Version":"2012-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":{"Service":"events.amazonaws.com"},"Action":"sqs:SendMessage","Resource":"arn:aws:sqs:us-east-1:644160558196:config-changes"}]}',  # noqa
        'QueueArn': 'arn:aws:sqs:us-east-1:644160558196:config-changes',
        'QueueUrl':
        'https://sqs.us-east-1.amazonaws.com/644160558196/config-changes',
        'ReceiveMessageWaitTimeSeconds': '0',
        'VisibilityTimeout': '30',
    }
Esempio n. 2
0
    def process(self, resources, event=None):
        filters = []
        for f in self.data.get('eval_filters', ()):
            vf = ValueFilter(f)
            vf.annotate = False
            filters.append(vf)

        resource_model = self.manager.get_model()
        resource_map = self.get_resource_map(filters, resource_model,
                                             resources)

        # Avoid static/import time dep on boto in filters package
        from c7n.resources.aws import Arn
        results = []
        for arn, r in zip(self.manager.get_arns(resources), resources):
            # many aws provided rules are inconsistent in their
            # treatment of resource ids, some use arns, some use names
            # as identifiers for the same resource type. security
            # hub in particular is bad at consistency.
            rid = None
            if arn in resource_map:
                rid = arn
            elif r[resource_model.id] in resource_map:
                rid = r[resource_model.id]
            if arn == r[resource_model.id] and not rid:
                rid = Arn.parse(arn).resource
                if rid not in resource_map:
                    rid = None
            if rid is None:
                continue
            r[self.annotation_key] = resource_map[rid]
            results.append(r)
        return results
Esempio n. 3
0
 def get_resource_arns(self, event):
     event_type = event['detail-type']
     arn_resolver = getattr(self, self.handlers[event_type])
     arns = arn_resolver(event)
     # Lazy import to avoid aws sdk runtime dep in core
     from c7n.resources.aws import Arn
     return {Arn.parse(r) for r in arns}
Esempio n. 4
0
    def resolve_resources(self, event):
        # For centralized setups in a hub aggregator account
        self.assume_member(event)

        event_type = event['detail-type']
        arn_resolver = getattr(self, self.handlers[event_type])
        arns = arn_resolver(event)

        # Lazy import to avoid aws sdk runtime dep in core
        from c7n.resources.aws import Arn
        resource_map = {Arn.parse(r) for r in arns}

        # sanity check on finding resources matching policy resource
        # type's service.
        if self.policy.resource_manager.type != 'account':
            log.info("mode:security-hub resolve resources %s",
                     list(resource_map))
            if not resource_map:
                return []
            resource_arns = [
                r for r in resource_map if r.service ==
                self.policy.resource_manager.resource_type.service
            ]
            resources = self.policy.resource_manager.get_resources(
                [r.resource for r in resource_arns])
        else:
            resources = self.policy.resource_manager.get_resources([])
            resources[0]['resource-arns'] = resource_arns
        return resources
Esempio n. 5
0
    def get_resource_sets(self, event):
        # return a mapping of (account_id, region): [resource_arns]
        # per the finding in the event.

        # Group resources by account_id, region for role assumes
        resource_sets = {}

        # Loop over findings and set resource set accordingly
        # Lazy import to avoid aws sdk runtime dep in core
        from c7n.resources.aws import Arn
        for finding in event['detail']['findings']:
            resource_sets.setdefault(
                (finding['AwsAccountId'], finding['Resources'][0]['Region']),
                []).append(Arn.parse(finding['Resources'][0]['Id']))

        # Warn if not configured for member-role and have multiple accounts resources.
        if (not self.policy.data['mode'].get('member-role')
                and {self.policy.options.account_id} != {
                    account_id
                    for (account_id, region), rarns in resource_sets.items()
                }):
            msg = ('hub-mode not configured for multi-account member-role '
                   'but multiple resource accounts found')
            self.policy.log.warning(msg)
            raise PolicyExecutionError(msg)
        return resource_sets
Esempio n. 6
0
 def process(self, resources):
     client = local_session(self.manager.session_factory).client('s3control')
     for r in resources:
         arn = Arn.parse(r['AccessPointArn'])
         try:
             client.delete_access_point(AccountId=arn.account_id, Name=r['Name'])
         except client.NotFoundException:
             continue
Esempio n. 7
0
 def augment(self, resources):
     client = local_session(self.manager.session_factory).client('s3control')
     results = []
     for r in resources:
         arn = Arn.parse(r['AccessPointArn'])
         ap = client.get_access_point(AccountId=arn.account_id, Name=r['Name'])
         ap.pop('ResponseMetadata', None)
         results.append(ap)
     return results
Esempio n. 8
0
    def process(self, resources, event=None):
        client = local_session(self.manager.session_factory).client('s3control')
        for r in resources:
            if self.policy_attribute in r:
                continue
            arn = Arn.parse(r['AccessPointArn'])
            r[self.policy_attribute] = client.get_access_point_policy(
                AccountId=arn.account_id, Name=r['Name']
            ).get('Policy')

        return super().process(resources, event)
Esempio n. 9
0
 def get_resources(self, ids, cache=True):
     ids_normalized = []
     for i in ids:
         if not i.startswith('https://'):
             ids_normalized.append(i)
             continue
         ids_normalized.append(i.rsplit('/', 1)[-1])
     resources = super(SQS, self).get_resources(ids_normalized, cache)
     return [
         r for r in resources
         if Arn.parse(r['QueueArn']).resource in ids_normalized
     ]
Esempio n. 10
0
 def test_resolve_import_finding(self):
     factory = self.replay_flight_data('test_security_hub_mode_resolve')
     policy = self.load_policy({
         'name': 'trail-fixer',
         'resource': 'aws.iam-user',
         'mode': {
             'type': 'hub-finding',
             'role': 'foo'}},
         session_factory=factory)
     event = event_data("event-securityhub-iamkey-finding-action.json")
     hub = policy.get_execution_mode()
     resources = hub.resolve_import_finding(event)
     self.assertEqual(
         sorted(resources),
         sorted(['arn:aws:iam::644160558196:user/kapil']))
     # Lazy import to avoid aws sdk runtime dep in core
     from c7n.resources.aws import Arn
     resources = hub.resolve_resources({Arn.parse(r) for r in resources})
     self.assertEqual(len(resources), 1)
     self.assertEqual(resources[0]['UserName'], 'kapil')
Esempio n. 11
0
 def get_dimensions(self, resource):
     return [{
         'Name': self.model.dimension,
         'Value': Arn.parse(resource['LoadBalancerArn']).resource
     }]