def test_rule_passing(): template_path = "rules/S3ObjectVersioning/good_template.yaml" rule = S3ObjectVersioningRule(None) result = rule.invoke(get_cfmodel_from(template_path).resolve()) assert result.valid assert compare_lists_of_failures(result.failures, [])
def test_generic_cross_account_for_opensearch_domain_different_principals( principal): rule = GenericCrossAccountTrustRule( Config(aws_account_id="123456789", aws_principals=["999999999"])) model = get_cfmodel_from( "rules/CrossAccountTrustRule/opensearch_domain_basic.yml").resolve( extra_params={"Principal": principal}) result = rule.invoke(model) assert not result.valid assert compare_lists_of_failures( result.failures, [ Failure( granularity=RuleGranularity.RESOURCE, reason= f"TestDomain has forbidden cross-account with {principal}", risk_value=RuleRisk.MEDIUM, rule="GenericCrossAccountTrustRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"TestDomain"}, resource_types={"AWS::OpenSearchService::Domain"}, ) ], )
def test_kms_cross_account_success(principal): rule = KMSKeyCrossAccountTrustRule( Config(aws_account_id="123456789", aws_principals=["999999999"])) model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml" ).resolve(extra_params={"Principal": principal}) result = rule.invoke(model) assert result.valid
def test_generic_cross_account_with_kms_key_success(principal): rule = GenericCrossAccountTrustRule( Config(aws_account_id="123456789", aws_principals=["999999999"])) model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml" ).resolve(extra_params={"Principal": principal}) result = rule.invoke(model) assert result.valid assert compare_lists_of_failures(result.failures, [])
def test_generic_wildcard_ignores_kms(): rule = GenericWildcardPrincipalRule( Config(aws_account_id="123456789", aws_principals=["999999999"])) model = get_cfmodel_from( "rules/CrossAccountTrustRule/kms_basic.yml").resolve( extra_params={"Principal": "arn:aws:iam::*:*"}) result = rule.invoke(model) assert result.valid
def test_es_domain_cross_account_success(principal): rule = ElasticsearchDomainCrossAccountTrustRule( Config(aws_account_id="123456789", aws_principals=["999999999"])) model = get_cfmodel_from("rules/CrossAccountTrustRule/es_domain_basic.yml" ).resolve(extra_params={"Principal": principal}) result = rule.invoke(model) assert result.valid assert compare_lists_of_failures(result.failures, [])
def test_generic_wildcard_ignores_kms_keys_since_they_have_another_rule_for_them( ): rule = GenericResourceWildcardPrincipalRule( Config(aws_account_id="123456789", aws_principals=["999999999"])) model = get_cfmodel_from( "rules/CrossAccountTrustRule/kms_basic.yml").resolve( extra_params={"Principal": "arn:aws:iam::*:*"}) result = rule.invoke(model) assert result.valid assert compare_lists_of_failures(result.failures, [])
def test_kms_cross_account_failure(principal): rule = KMSKeyCrossAccountTrustRule(Config(aws_account_id="123456789", aws_principals=["999999999"])) model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml").resolve(extra_params={"Principal": principal}) result = rule.invoke(model) assert not result.valid assert len(result.failed_rules) == 1 assert len(result.failed_monitored_rules) == 0 failed_rule = result.failed_rules[0] assert failed_rule.reason == ( f"KMSKey has forbidden cross-account policy allow with {principal} for an KMS Key Policy" )
def test_failures_are_raised(template_path): rule = S3ObjectVersioningRule(Config()) result = rule.invoke(get_cfmodel_from(template_path).resolve()) assert not result.valid assert compare_lists_of_failures( result.failures, [ Failure( granularity=RuleGranularity.RESOURCE, reason="S3 Bucket VersionBucket is required to have object versioning enabled", risk_value=RuleRisk.LOW, rule="S3ObjectVersioningRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"VersionBucket"}, resource_types={"AWS::S3::Bucket"}, ) ], )
def test_failures_are_raised(bad_template_path): rule = KMSKeyEnabledKeyRotation(Config()) result = rule.invoke(get_cfmodel_from(bad_template_path).resolve()) assert not result.valid assert compare_lists_of_failures( result.failures, [ Failure( granularity=RuleGranularity.RESOURCE, reason= "KMS Key KMSKey should have the key rotation enabled for symmetric keys", risk_value=RuleRisk.HIGH, rule="KMSKeyEnabledKeyRotation", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"KMSKey"}, ) ], )
def test_failures_are_raised(template_path): rule = EBSVolumeHasSSERule(Config(aws_account_id="123456789")) result = rule.invoke(get_cfmodel_from(template_path).resolve()) assert not result.valid assert compare_lists_of_failures( result.failures, [ Failure( granularity=RuleGranularity.RESOURCE, reason= "EBS volume TestVolume should have server-side encryption enabled", risk_value=RuleRisk.MEDIUM, rule="EBSVolumeHasSSERule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"TestVolume"}, resource_types={"AWS::EC2::Volume"}, ) ], )
def test_es_domain_cross_account_failure(principal): rule = ElasticsearchDomainCrossAccountTrustRule( Config(aws_account_id="123456789", aws_principals=["999999999"])) model = get_cfmodel_from("rules/CrossAccountTrustRule/es_domain_basic.yml" ).resolve(extra_params={"Principal": principal}) result = rule.invoke(model) assert not result.valid assert compare_lists_of_failures( result.failures, [ Failure( granularity=RuleGranularity.RESOURCE, reason= f"TestDomain has forbidden cross-account policy allow with {principal} for an ES domain policy.", risk_value=RuleRisk.MEDIUM, rule="ElasticsearchDomainCrossAccountTrustRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"TestDomain"}, resource_types={"AWS::Elasticsearch::Domain"}, ) ], )
def sqs_policy_public(): return get_cfmodel_from( "rules/SQSQueuePolicyPublicRule/sqs_policy_public.json").resolve()
def bad_template(): return get_cfmodel_from("rules/S3BucketPublicReadWriteAclRule/bad_template.json").resolve()
def bad_template(): return get_cfmodel_from("rules/KMSEnabledKeyRotation/bad_template_symmetric_no_property.yaml").resolve()
def s3_bucket_with_wildcards(): return get_cfmodel_from( "rules/SQSQueuePolicyNotPrincipalRule/bad_template.json").resolve()
def bad_template_instances(): return get_cfmodel_from( "rules/HardcodedRDSPasswordRule/bad_template.json").resolve()
def bad_template_clusters_with_bad_instances(): return get_cfmodel_from( "rules/HardcodedRDSPasswordRule/bad_clusters_and_instances.json" ).resolve()
def security_group_with_egress(): return get_cfmodel_from( "rules/EC2SecurityGroupMissingEgressRule/security_group_with_egress.json" ).resolve()
def template_valid_with_canonical_id(): return get_cfmodel_from( "rules/CrossAccountTrustRule/valid_with_canonical_id.json").resolve()
def template_two_roles_dict(): return get_cfmodel_from( "rules/CrossAccountTrustRule/iam_root_role_cross_account_two_roles.json" ).resolve()
def invalid_security_group_range(): return get_cfmodel_from("rules/SecurityGroupOpenToWorldRule/invalid_security_group_range.json").resolve()
def valid_security_group_port443(): return get_cfmodel_from("rules/SecurityGroupOpenToWorldRule/valid_security_group_port443.json").resolve()
def sqs_policy(): return get_cfmodel_from( "rules/SQSDangerousPolicyActionsRule/sqs_policy.json").resolve()
def invalid_security_group_multiple_statements(): return get_cfmodel_from( "rules/SecurityGroupOpenToWorldRule/invalid_security_group_multiple_statements.json" ).resolve()
def bad_template_clusters(): return get_cfmodel_from( "rules/HardcodedRDSPasswordRule/bad_template_cluster.json").resolve()
def template_valid_with_service(): return get_cfmodel_from( "rules/CrossAccountTrustRule/valid_with_service.json").resolve()
def bad_template(): return get_cfmodel_from( "rules/FullWilcardPrincipalRule/bad_template.json").resolve()
def template_invalid_with_sts(): return get_cfmodel_from( "rules/CrossAccountTrustRule/invalid_with_sts.yml").resolve()
def single_security_group_one_cidr_ingress(): return get_cfmodel_from( "rules/EC2SecurityGroupMissingEgressRule/single_security_group_one_cidr_ingress.json" ).resolve()