def test_generic_cross_account_for_opensearch_domain_different_principals(
        principal):
    rule = GenericCrossAccountTrustRule(
        Config(aws_account_id="123456789", aws_principals=["999999999"]))
    model = get_cfmodel_from(
        "rules/CrossAccountTrustRule/opensearch_domain_basic.yml").resolve(
            extra_params={"Principal": principal})
    result = rule.invoke(model)
    assert not result.valid
    assert compare_lists_of_failures(
        result.failures,
        [
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                f"TestDomain has forbidden cross-account with {principal}",
                risk_value=RuleRisk.MEDIUM,
                rule="GenericCrossAccountTrustRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"TestDomain"},
                resource_types={"AWS::OpenSearchService::Domain"},
            )
        ],
    )
def test_generic_cross_account_rule_for_resources_with_set_principals(
        template, is_valid, failures):
    rule = GenericCrossAccountTrustRule(
        Config(aws_account_id="123456789", aws_principals=["999999999"]))
    result = rule.invoke(template)
    assert result.valid == is_valid
    assert compare_lists_of_failures(result.failures, failures)
def test_s3_bucket_cross_account_from_aws_service_with_generic(
        s3_bucket_cross_account_from_aws_service):
    rule = GenericCrossAccountTrustRule(Config(aws_account_id="123456789"))
    result = rule.invoke(s3_bucket_cross_account_from_aws_service)

    assert result.valid
    assert compare_lists_of_failures(result.failures, [])
def test_generic_rule_supports_filter_config(
        s3_bucket_cross_account_and_normal, default_allow_all_config):
    rule = GenericCrossAccountTrustRule(default_allow_all_config)
    result = rule.invoke(s3_bucket_cross_account_and_normal)

    assert result.valid
    assert compare_lists_of_failures(result.failures, [])
def test_s3_bucket_cross_account_for_current_account_with_generic(
        s3_bucket_cross_account):
    rule = GenericCrossAccountTrustRule(Config(aws_account_id="987654321"))
    result = rule.invoke(s3_bucket_cross_account)

    assert result.valid
    assert compare_lists_of_failures(result.failures, [])
def test_generic_cross_account_with_kms_key_success(principal):
    rule = GenericCrossAccountTrustRule(
        Config(aws_account_id="123456789", aws_principals=["999999999"]))
    model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml"
                             ).resolve(extra_params={"Principal": principal})
    result = rule.invoke(model)
    assert result.valid
    assert compare_lists_of_failures(result.failures, [])
Esempio n. 7
0
def test_iam_role_is_checked_in_generic_rule(template_one_role):
    rule = GenericCrossAccountTrustRule(Config(aws_account_id="123456789"))
    result = rule.invoke(template_one_role)
    assert not result.valid
    assert compare_lists_of_failures(
        result.failures,
        [
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "RootRole has forbidden cross-account with arn:aws:iam::999999999:role/[email protected]",
                risk_value=RuleRisk.MEDIUM,
                rule="GenericCrossAccountTrustRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRole"},
                resource_types={"AWS::IAM::Role"},
            )
        ],
    )
def test_s3_bucket_cross_account_with_generic(s3_bucket_cross_account):
    rule = GenericCrossAccountTrustRule(Config(aws_account_id="123456789"))
    result = rule.invoke(s3_bucket_cross_account)

    assert not result.valid
    assert compare_lists_of_failures(
        result.failures,
        [
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "S3BucketPolicyAccountAccess has forbidden cross-account with arn:aws:iam::987654321:root",
                risk_value=RuleRisk.MEDIUM,
                rule="GenericCrossAccountTrustRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"S3BucketPolicyAccountAccess"},
                resource_types={"AWS::S3::BucketPolicy"},
            )
        ],
    )
def test_iam_role_is_ignored_in_generic_rule(template_one_role):
    rule = GenericCrossAccountTrustRule(Config(aws_account_id="123456789"))
    result = rule.invoke(template_one_role)
    assert result.valid
    assert compare_lists_of_failures(result.failures, [])
def test_iam_role_to_jump_to_another_account(
        template_iam_role_to_jump_to_another_account):
    rule = GenericCrossAccountTrustRule(Config(aws_account_id="123456789"))
    result = rule.invoke(template_iam_role_to_jump_to_another_account)
    assert result.valid
    assert compare_lists_of_failures(result.failures, [])