def test_securityhub_resource_support(self):
session = fake_session()._session
model = session.get_service_model('securityhub')
shape = model.shape_for('ResourceDetails')
mangled_hub_types = set(shape.members.keys())
resource_hub_types = set()
whitelist = set(('AwsS3Object', 'Container'))
todo = set((
# newer wave q3 2020
'AwsDynamoDbTable',
'AwsEc2Eip',
'AwsIamPolicy',
'AwsIamUser',
'AwsRdsDbCluster',
'AwsRdsDbClusterSnapshot',
'AwsRdsDbSnapshot',
'AwsSecretsManagerSecret',
# older wave
'AwsRdsDbInstance',
'AwsElbv2LoadBalancer',
'AwsEc2SecurityGroup',
'AwsIamAccessKey',
'AwsEc2NetworkInterface',
'AwsWafWebAcl'))
mangled_hub_types = mangled_hub_types.difference(whitelist).difference(todo)
for k, v in manager.resources.items():
finding = v.action_registry.get('post-finding')
if finding:
resource_hub_types.add(finding.resource_type)
assert mangled_hub_types.difference(resource_hub_types) == set()
def test_config_resource_support(self):
# for several of these we express support as filter or action instead
# of a resource.
whitelist = {
'AWS::EC2::Host', 'AWS::EC2::RegisteredHAInstance',
'AWS::EC2::EgressOnlyInternetGateway',
'AWS::EC2::VPCEndpointService', 'AWS::EC2::FlowLog',
'AWS::RDS::DBSecurityGroup', 'AWS::RDS::EventSubscription',
'AWS::S3::AccountPublicAccessBlock',
'AWS::Redshift::ClusterParameterGroup',
'AWS::Redshift::ClusterSecurityGroup',
'AWS::Redshift::EventSubscription',
'AWS::SSM::ManagedInstanceInventory',
'AWS::AutoScaling::ScalingPolicy',
'AWS::AutoScaling::ScheduledAction', 'AWS::WAF::RateBasedRule',
'AWS::WAF::Rule', 'AWS::WAF::RuleGroup',
'AWS::WAFRegional::RateBasedRule', 'AWS::WAFRegional::Rule',
'AWS::WAFRegional::RuleGroup',
'AWS::ElasticBeanstalk::ApplicationVersion', 'AWS::WAFv2::WebACL',
'AWS::WAFv2::RuleGroup', 'AWS::WAFv2::IPSet',
'AWS::WAFv2::RegexPatternSet', 'AWS::WAFv2::ManagedRuleSet',
'AWS::XRay::EncryptionConfig', 'AWS::SSM::AssociationCompliance',
'AWS::SSM::PatchCompliance', 'AWS::ShieldRegional::Protection',
'AWS::Config::ResourceCompliance', 'AWS::ApiGatewayV2::Stage',
'AWS::ApiGatewayV2::Api',
'AWS::ServiceCatalog::CloudFormationProvisionedProduct',
'AWS::ServiceCatalog::CloudFormationProduct',
'AWS::ServiceCatalog::Portfolio'
}
resource_map = {}
for k, v in manager.resources.items():
if not v.resource_type.config_type:
continue
resource_map[v.resource_type.config_type] = v
resource_config_types = set(resource_map)
session = fake_session()._session
model = session.get_service_model('config')
shape = model.shape_for('ResourceType')
config_types = set(shape.enum).difference(whitelist)
missing = config_types.difference(resource_config_types)
if missing:
raise AssertionError("Missing config types \n %s" %
('\n'.join(missing)))
bad_types = resource_config_types.difference(config_types)
if bad_types:
raise AssertionError("Invalid config types \n %s" %
('\n'.join(bad_types)))
