def test_rule_passing():
template_path = "rules/S3ObjectVersioning/good_template.yaml"
rule = S3ObjectVersioningRule(None)
result = rule.invoke(get_cfmodel_from(template_path).resolve())
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_generic_cross_account_for_opensearch_domain_different_principals(
principal):
rule = GenericCrossAccountTrustRule(
Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from(
"rules/CrossAccountTrustRule/opensearch_domain_basic.yml").resolve(
extra_params={"Principal": principal})
result = rule.invoke(model)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
f"TestDomain has forbidden cross-account with {principal}",
risk_value=RuleRisk.MEDIUM,
rule="GenericCrossAccountTrustRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"TestDomain"},
resource_types={"AWS::OpenSearchService::Domain"},
)
],
)
def test_kms_cross_account_success(principal):
rule = KMSKeyCrossAccountTrustRule(
Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml"
).resolve(extra_params={"Principal": principal})
result = rule.invoke(model)
assert result.valid
def test_generic_cross_account_with_kms_key_success(principal):
rule = GenericCrossAccountTrustRule(
Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml"
).resolve(extra_params={"Principal": principal})
result = rule.invoke(model)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_generic_wildcard_ignores_kms():
rule = GenericWildcardPrincipalRule(
Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from(
"rules/CrossAccountTrustRule/kms_basic.yml").resolve(
extra_params={"Principal": "arn:aws:iam::*:*"})
result = rule.invoke(model)
assert result.valid
def test_es_domain_cross_account_success(principal):
rule = ElasticsearchDomainCrossAccountTrustRule(
Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from("rules/CrossAccountTrustRule/es_domain_basic.yml"
).resolve(extra_params={"Principal": principal})
result = rule.invoke(model)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_generic_wildcard_ignores_kms_keys_since_they_have_another_rule_for_them(
):
rule = GenericResourceWildcardPrincipalRule(
Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from(
"rules/CrossAccountTrustRule/kms_basic.yml").resolve(
extra_params={"Principal": "arn:aws:iam::*:*"})
result = rule.invoke(model)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_kms_cross_account_failure(principal):
rule = KMSKeyCrossAccountTrustRule(Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml").resolve(extra_params={"Principal": principal})
result = rule.invoke(model)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
failed_rule = result.failed_rules[0]
assert failed_rule.reason == (
f"KMSKey has forbidden cross-account policy allow with {principal} for an KMS Key Policy"
)
def test_failures_are_raised(template_path):
rule = S3ObjectVersioningRule(Config())
result = rule.invoke(get_cfmodel_from(template_path).resolve())
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason="S3 Bucket VersionBucket is required to have object versioning enabled",
risk_value=RuleRisk.LOW,
rule="S3ObjectVersioningRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"VersionBucket"},
resource_types={"AWS::S3::Bucket"},
)
],
)
def test_failures_are_raised(bad_template_path):
rule = KMSKeyEnabledKeyRotation(Config())
result = rule.invoke(get_cfmodel_from(bad_template_path).resolve())
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"KMS Key KMSKey should have the key rotation enabled for symmetric keys",
risk_value=RuleRisk.HIGH,
rule="KMSKeyEnabledKeyRotation",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"KMSKey"},
)
],
)
def test_failures_are_raised(template_path):
rule = EBSVolumeHasSSERule(Config(aws_account_id="123456789"))
result = rule.invoke(get_cfmodel_from(template_path).resolve())
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"EBS volume TestVolume should have server-side encryption enabled",
risk_value=RuleRisk.MEDIUM,
rule="EBSVolumeHasSSERule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"TestVolume"},
resource_types={"AWS::EC2::Volume"},
)
],
)
def test_es_domain_cross_account_failure(principal):
rule = ElasticsearchDomainCrossAccountTrustRule(
Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from("rules/CrossAccountTrustRule/es_domain_basic.yml"
).resolve(extra_params={"Principal": principal})
result = rule.invoke(model)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
f"TestDomain has forbidden cross-account policy allow with {principal} for an ES domain policy.",
risk_value=RuleRisk.MEDIUM,
rule="ElasticsearchDomainCrossAccountTrustRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"TestDomain"},
resource_types={"AWS::Elasticsearch::Domain"},
)
],
)
def sqs_policy_public():
return get_cfmodel_from(
"rules/SQSQueuePolicyPublicRule/sqs_policy_public.json").resolve()
def bad_template():
return get_cfmodel_from("rules/S3BucketPublicReadWriteAclRule/bad_template.json").resolve()
def bad_template():
return get_cfmodel_from("rules/KMSEnabledKeyRotation/bad_template_symmetric_no_property.yaml").resolve()
def s3_bucket_with_wildcards():
return get_cfmodel_from(
"rules/SQSQueuePolicyNotPrincipalRule/bad_template.json").resolve()
def bad_template_instances():
return get_cfmodel_from(
"rules/HardcodedRDSPasswordRule/bad_template.json").resolve()
def bad_template_clusters_with_bad_instances():
return get_cfmodel_from(
"rules/HardcodedRDSPasswordRule/bad_clusters_and_instances.json"
).resolve()
def security_group_with_egress():
return get_cfmodel_from(
"rules/EC2SecurityGroupMissingEgressRule/security_group_with_egress.json"
).resolve()
def template_valid_with_canonical_id():
return get_cfmodel_from(
"rules/CrossAccountTrustRule/valid_with_canonical_id.json").resolve()
def template_two_roles_dict():
return get_cfmodel_from(
"rules/CrossAccountTrustRule/iam_root_role_cross_account_two_roles.json"
).resolve()
def invalid_security_group_range():
return get_cfmodel_from("rules/SecurityGroupOpenToWorldRule/invalid_security_group_range.json").resolve()
def valid_security_group_port443():
return get_cfmodel_from("rules/SecurityGroupOpenToWorldRule/valid_security_group_port443.json").resolve()
def sqs_policy():
return get_cfmodel_from(
"rules/SQSDangerousPolicyActionsRule/sqs_policy.json").resolve()
def invalid_security_group_multiple_statements():
return get_cfmodel_from(
"rules/SecurityGroupOpenToWorldRule/invalid_security_group_multiple_statements.json"
).resolve()
def bad_template_clusters():
return get_cfmodel_from(
"rules/HardcodedRDSPasswordRule/bad_template_cluster.json").resolve()
def template_valid_with_service():
return get_cfmodel_from(
"rules/CrossAccountTrustRule/valid_with_service.json").resolve()
def bad_template():
return get_cfmodel_from(
"rules/FullWilcardPrincipalRule/bad_template.json").resolve()
def template_invalid_with_sts():
return get_cfmodel_from(
"rules/CrossAccountTrustRule/invalid_with_sts.yml").resolve()
def single_security_group_one_cidr_ingress():
return get_cfmodel_from(
"rules/EC2SecurityGroupMissingEgressRule/single_security_group_one_cidr_ingress.json"
).resolve()
