def test_generic_cross_account_for_opensearch_domain_different_principals(
principal):
rule = GenericCrossAccountTrustRule(
Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from(
"rules/CrossAccountTrustRule/opensearch_domain_basic.yml").resolve(
extra_params={"Principal": principal})
result = rule.invoke(model)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
f"TestDomain has forbidden cross-account with {principal}",
risk_value=RuleRisk.MEDIUM,
rule="GenericCrossAccountTrustRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"TestDomain"},
resource_types={"AWS::OpenSearchService::Domain"},
)
],
)
def test_generic_cross_account_rule_for_resources_with_set_principals(
template, is_valid, failures):
rule = GenericCrossAccountTrustRule(
Config(aws_account_id="123456789", aws_principals=["999999999"]))
result = rule.invoke(template)
assert result.valid == is_valid
assert compare_lists_of_failures(result.failures, failures)
def test_s3_bucket_cross_account_from_aws_service_with_generic(
s3_bucket_cross_account_from_aws_service):
rule = GenericCrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(s3_bucket_cross_account_from_aws_service)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_generic_rule_supports_filter_config(
s3_bucket_cross_account_and_normal, default_allow_all_config):
rule = GenericCrossAccountTrustRule(default_allow_all_config)
result = rule.invoke(s3_bucket_cross_account_and_normal)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_s3_bucket_cross_account_for_current_account_with_generic(
s3_bucket_cross_account):
rule = GenericCrossAccountTrustRule(Config(aws_account_id="987654321"))
result = rule.invoke(s3_bucket_cross_account)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_generic_cross_account_with_kms_key_success(principal):
rule = GenericCrossAccountTrustRule(
Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml"
).resolve(extra_params={"Principal": principal})
result = rule.invoke(model)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_iam_role_is_checked_in_generic_rule(template_one_role):
rule = GenericCrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(template_one_role)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"RootRole has forbidden cross-account with arn:aws:iam::999999999:role/[email protected]",
risk_value=RuleRisk.MEDIUM,
rule="GenericCrossAccountTrustRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"RootRole"},
resource_types={"AWS::IAM::Role"},
)
],
)
def test_s3_bucket_cross_account_with_generic(s3_bucket_cross_account):
rule = GenericCrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(s3_bucket_cross_account)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"S3BucketPolicyAccountAccess has forbidden cross-account with arn:aws:iam::987654321:root",
risk_value=RuleRisk.MEDIUM,
rule="GenericCrossAccountTrustRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"S3BucketPolicyAccountAccess"},
resource_types={"AWS::S3::BucketPolicy"},
)
],
)
def test_iam_role_is_ignored_in_generic_rule(template_one_role):
rule = GenericCrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(template_one_role)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_iam_role_to_jump_to_another_account(
template_iam_role_to_jump_to_another_account):
rule = GenericCrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(template_iam_role_to_jump_to_another_account)
assert result.valid
assert compare_lists_of_failures(result.failures, [])