def test_config_poll_rule_evaluation(self): session_factory = self.record_flight_data("test_config_poll_rule_provision") p = self.load_policy({ 'name': 'configx', 'resource': 'aws.kinesis', 'mode': { 'schedule': 'Three_Hours', 'type': 'config-poll-rule'}}) mu_policy = PolicyLambda(p) mu_policy.arn = "arn:aws:lambda:us-east-1:644160558196:function:CloudCustodian" events = mu_policy.get_events(session_factory) self.assertEqual(len(events), 1) config_rule = events.pop() self.assertEqual( config_rule.get_rule_params(mu_policy), {'ConfigRuleName': 'custodian-configx', 'Description': 'cloud-custodian lambda policy', 'MaximumExecutionFrequency': 'Three_Hours', 'Scope': {'ComplianceResourceTypes': ['AWS::Kinesis::Stream']}, 'Source': { 'Owner': 'CUSTOM_LAMBDA', 'SourceDetails': [{'EventSource': 'aws.config', 'MessageType': 'ScheduledNotification'}], 'SourceIdentifier': 'arn:aws:lambda:us-east-1:644160558196:function:CloudCustodian'} # noqa })
def test_cwe_security_hub_action(self): factory = self.replay_flight_data('test_mu_cwe_sechub_action') p = self.load_policy( { 'name': 'sechub', 'resource': 'account', 'mode': { 'type': 'hub-action' } }, session_factory=factory, config={'account_id': ACCOUNT_ID}) mu_policy = PolicyLambda(p) events = mu_policy.get_events(factory) self.assertEqual(len(events), 1) hub_action = events.pop() self.assertEqual( json.loads(hub_action.cwe.render_event_pattern()), { 'resources': [ 'arn:aws:securityhub:us-east-1:644160558196:action/custom/sechub' ], 'source': ['aws.securityhub'], 'detail-type': [ 'Security Hub Findings - Custom Action', 'Security Hub Insight Results' ] }) hub_action.cwe = cwe = mock.Mock(CloudWatchEventSource) cwe.get.return_value = False cwe.update.return_value = True cwe.add.return_value = True self.assertEqual(repr(hub_action), "<SecurityHub Action sechub>") self.assertEqual( hub_action._get_arn(), "arn:aws:securityhub:us-east-1:644160558196:action/custom/sechub") self.assertEqual(hub_action.get(mu_policy.name), { 'event': False, 'action': None }) hub_action.add(mu_policy) self.assertEqual( { 'event': False, 'action': { 'ActionTargetArn': ('arn:aws:securityhub:us-east-1:' '644160558196:action/custom/sechub'), 'Name': 'Account sechub', 'Description': 'sechub' } }, hub_action.get(mu_policy.name)) hub_action.update(mu_policy) hub_action.remove(mu_policy) self.assertEqual(hub_action.get(mu_policy.name), { 'event': False, 'action': None })
def test_phd_mode(self): factory = self.replay_flight_data('test_phd_event_mode') p = self.load_policy( { 'name': 'ec2-retire', 'resource': 'ec2', 'mode': { 'categories': ['scheduledChange'], 'events': ['AWS_EC2_PERSISTENT_INSTANCE_RETIREMENT_SCHEDULED'], 'type': 'phd' } }, session_factory=factory) mode = p.get_execution_mode() event = event_data('event-phd-ec2-retire.json') resources = mode.run(event, None) self.assertEqual(len(resources), 1) p_lambda = PolicyLambda(p) events = p_lambda.get_events(factory) self.assertEqual( json.loads(events[0].render_event_pattern()), { 'detail': { 'eventTypeCategory': ['scheduledChange'], 'eventTypeCode': ['AWS_EC2_PERSISTENT_INSTANCE_RETIREMENT_SCHEDULED'] }, 'source': ['aws.health'] })
def test_phd_mode_sans_details(self): factory = self.replay_flight_data('test_phd_event_mode') p = self.load_policy( {'name': 'ec2-retire', 'resource': 'account', 'mode': {'type': 'phd'}}, session_factory=factory) p_lambda = PolicyLambda(p) events = p_lambda.get_events(factory) self.assertEqual( json.loads(events[0].render_event_pattern()), {'source': ['aws.health']} )
def test_cwe_trail(self): session_factory = self.replay_flight_data("test_cwe_trail", zdata=True) p = self.load_policy( { "resource": "s3", "name": "s3-bucket-policy", "mode": { "type": "cloudtrail", "events": ["CreateBucket"] }, "filters": [{ "type": "missing-policy-statement", "statement_ids": ["RequireEncryptedPutObject"], }], "actions": ["no-op"] }, session_factory=session_factory) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) self.addCleanup(mgr.remove, pl) result = mgr.publish(pl, "Dev", role=ROLE) events = pl.get_events(session_factory) self.assertEqual(len(events), 1) event = events.pop() self.assertEqual( json.loads(event.render_event_pattern()), { u"detail": { u"eventName": [u"CreateBucket"], u"eventSource": [u"s3.amazonaws.com"], }, u"detail-type": ["AWS API Call via CloudTrail"], }, ) self.assert_items( result, { "Description": "cloud-custodian lambda policy", "FunctionName": "custodian-s3-bucket-policy", "Handler": "custodian_policy.run", "MemorySize": 512, "Runtime": "python2.7", "Timeout": 60, }, )
def test_cwe_trail(self): session_factory = self.replay_flight_data("test_cwe_trail", zdata=True) p = Policy( { "resource": "s3", "name": "s3-bucket-policy", "mode": {"type": "cloudtrail", "events": ["CreateBucket"]}, "filters": [ { "type": "missing-policy-statement", "statement_ids": ["RequireEncryptedPutObject"], } ], "actions": ["no-op"], }, Config.empty(), ) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) self.addCleanup(mgr.remove, pl) result = mgr.publish(pl, "Dev", role=ROLE) events = pl.get_events(session_factory) self.assertEqual(len(events), 1) event = events.pop() self.assertEqual( json.loads(event.render_event_pattern()), { u"detail": { u"eventName": [u"CreateBucket"], u"eventSource": [u"s3.amazonaws.com"], }, u"detail-type": ["AWS API Call via CloudTrail"], }, ) self.assert_items( result, { "Description": "cloud-custodian lambda policy", "FunctionName": "custodian-s3-bucket-policy", "Handler": "custodian_policy.run", "MemorySize": 512, "Runtime": "python2.7", "Timeout": 60, }, )
def test_phd_mode_account(self): factory = self.replay_flight_data('test_phd_event_account') p = self.load_policy( {'name': 'ec2-retire', 'resource': 'account', 'mode': { 'categories': ['issue', 'scheduledChange'], 'statuses': ['open', 'upcoming'], 'type': 'phd'}}, session_factory=factory) p_lambda = PolicyLambda(p) events = p_lambda.get_events(factory) self.assertEqual( json.loads(events[0].render_event_pattern()), {'detail': { 'eventTypeCategory': ['issue', 'scheduledChange']}, 'source': ['aws.health']} )
def test_cwe_trail(self): session_factory = self.replay_flight_data('test_cwe_trail', zdata=True) p = Policy( { 'resource': 's3', 'name': 's3-bucket-policy', 'mode': { 'type': 'cloudtrail', 'events': ["CreateBucket"], }, 'filters': [{ 'type': 'missing-policy-statement', 'statement_ids': ['RequireEncryptedPutObject'] }], 'actions': ['no-op'] }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) events = pl.get_events(session_factory) self.assertEqual(len(events), 1) event = events.pop() self.assertEqual( json.loads(event.render_event_pattern()), { u'detail': { u'eventName': [u'CreateBucket'], u'eventSource': [u's3.amazonaws.com'] }, u'detail-type': ['AWS API Call via CloudTrail'] }) self.assert_items( result, { 'Description': 'cloud-custodian lambda policy', 'FunctionName': 'custodian-s3-bucket-policy', 'Handler': 'custodian_policy.run', 'MemorySize': 512, 'Runtime': 'python2.7', 'Timeout': 60 }) mgr.remove(pl)
def test_user_pattern_merge(self): p = self.load_policy({ 'name': 'ec2-retire', 'resource': 'ec2', 'mode': { 'type': 'cloudtrail', 'pattern': { 'detail': { 'userIdentity': { 'userName': [{'anything-but': 'deputy'}]}}}, 'events': [{ 'ids': 'responseElements.subnet.subnetId', 'source': 'ec2.amazonaws.com', 'event': 'CreateSubnet'}]}}) p_lambda = PolicyLambda(p) events = p_lambda.get_events(None) self.assertEqual( json.loads(events[0].render_event_pattern()), {'detail': {'eventName': ['CreateSubnet'], 'eventSource': ['ec2.amazonaws.com'], 'userIdentity': {'userName': [{'anything-but': 'deputy'}]}}, 'detail-type': ['AWS API Call via CloudTrail']})
def test_phd_mode(self): factory = self.replay_flight_data('test_phd_event_mode') p = self.load_policy( {'name': 'ec2-retire', 'resource': 'ec2', 'mode': { 'categories': ['scheduledChange'], 'events': ['AWS_EC2_PERSISTENT_INSTANCE_RETIREMENT_SCHEDULED'], 'type': 'phd'}}, session_factory=factory) mode = p.get_execution_mode() event = event_data('event-phd-ec2-retire.json') resources = mode.run(event, None) self.assertEqual(len(resources), 1) p_lambda = PolicyLambda(p) events = p_lambda.get_events(factory) self.assertEqual( json.loads(events[0].render_event_pattern()), {'detail': { 'eventTypeCategory': ['scheduledChange'], 'eventTypeCode': ['AWS_EC2_PERSISTENT_INSTANCE_RETIREMENT_SCHEDULED']}, 'source': ['aws.health']} )
def test_cwe_trail(self): session_factory = self.replay_flight_data('test_cwe_trail', zdata=True) p = Policy({ 'resource': 's3', 'name': 's3-bucket-policy', 'mode': { 'type': 'cloudtrail', 'events': ["CreateBucket"], }, 'filters': [ {'type': 'missing-policy-statement', 'statement_ids': ['RequireEncryptedPutObject']}], 'actions': ['no-op'] }, Config.empty()) pl = PolicyLambda(p) mgr = LambdaManager(session_factory) result = mgr.publish(pl, 'Dev', role=self.role) events = pl.get_events(session_factory) self.assertEqual(len(events), 1) event = events.pop() self.assertEqual( json.loads(event.render_event_pattern()), {u'detail': {u'eventName': [u'CreateBucket'], u'eventSource': [u'aws.s3']}, u'detail-type': ['AWS API Call via CloudTrail']}) self.assert_items( result, {'Description': 'cloud-custodian lambda policy', 'FunctionName': 'custodian-s3-bucket-policy', 'Handler': 'custodian_policy.run', 'MemorySize': 512, 'Runtime': 'python2.7', 'Timeout': 60}) mgr.remove(pl)