def test_config_poll_rule_evaluation(self):
session_factory = self.record_flight_data("test_config_poll_rule_provision")
p = self.load_policy({
'name': 'configx',
'resource': 'aws.kinesis',
'mode': {
'schedule': 'Three_Hours',
'type': 'config-poll-rule'}})
mu_policy = PolicyLambda(p)
mu_policy.arn = "arn:aws:lambda:us-east-1:644160558196:function:CloudCustodian"
events = mu_policy.get_events(session_factory)
self.assertEqual(len(events), 1)
config_rule = events.pop()
self.assertEqual(
config_rule.get_rule_params(mu_policy),
{'ConfigRuleName': 'custodian-configx',
'Description': 'cloud-custodian lambda policy',
'MaximumExecutionFrequency': 'Three_Hours',
'Scope': {'ComplianceResourceTypes': ['AWS::Kinesis::Stream']},
'Source': {
'Owner': 'CUSTOM_LAMBDA',
'SourceDetails': [{'EventSource': 'aws.config',
'MessageType': 'ScheduledNotification'}],
'SourceIdentifier': 'arn:aws:lambda:us-east-1:644160558196:function:CloudCustodian'} # noqa
})
def test_cwe_security_hub_action(self):
factory = self.replay_flight_data('test_mu_cwe_sechub_action')
p = self.load_policy(
{
'name': 'sechub',
'resource': 'account',
'mode': {
'type': 'hub-action'
}
},
session_factory=factory,
config={'account_id': ACCOUNT_ID})
mu_policy = PolicyLambda(p)
events = mu_policy.get_events(factory)
self.assertEqual(len(events), 1)
hub_action = events.pop()
self.assertEqual(
json.loads(hub_action.cwe.render_event_pattern()), {
'resources': [
'arn:aws:securityhub:us-east-1:644160558196:action/custom/sechub'
],
'source': ['aws.securityhub'],
'detail-type': [
'Security Hub Findings - Custom Action',
'Security Hub Insight Results'
]
})
hub_action.cwe = cwe = mock.Mock(CloudWatchEventSource)
cwe.get.return_value = False
cwe.update.return_value = True
cwe.add.return_value = True
self.assertEqual(repr(hub_action), "<SecurityHub Action sechub>")
self.assertEqual(
hub_action._get_arn(),
"arn:aws:securityhub:us-east-1:644160558196:action/custom/sechub")
self.assertEqual(hub_action.get(mu_policy.name), {
'event': False,
'action': None
})
hub_action.add(mu_policy)
self.assertEqual(
{
'event': False,
'action': {
'ActionTargetArn': ('arn:aws:securityhub:us-east-1:'
'644160558196:action/custom/sechub'),
'Name':
'Account sechub',
'Description':
'sechub'
}
}, hub_action.get(mu_policy.name))
hub_action.update(mu_policy)
hub_action.remove(mu_policy)
self.assertEqual(hub_action.get(mu_policy.name), {
'event': False,
'action': None
})
def test_phd_mode(self):
factory = self.replay_flight_data('test_phd_event_mode')
p = self.load_policy(
{
'name': 'ec2-retire',
'resource': 'ec2',
'mode': {
'categories': ['scheduledChange'],
'events':
['AWS_EC2_PERSISTENT_INSTANCE_RETIREMENT_SCHEDULED'],
'type': 'phd'
}
},
session_factory=factory)
mode = p.get_execution_mode()
event = event_data('event-phd-ec2-retire.json')
resources = mode.run(event, None)
self.assertEqual(len(resources), 1)
p_lambda = PolicyLambda(p)
events = p_lambda.get_events(factory)
self.assertEqual(
json.loads(events[0].render_event_pattern()), {
'detail': {
'eventTypeCategory': ['scheduledChange'],
'eventTypeCode':
['AWS_EC2_PERSISTENT_INSTANCE_RETIREMENT_SCHEDULED']
},
'source': ['aws.health']
})
def test_phd_mode_sans_details(self):
factory = self.replay_flight_data('test_phd_event_mode')
p = self.load_policy(
{'name': 'ec2-retire',
'resource': 'account',
'mode': {'type': 'phd'}}, session_factory=factory)
p_lambda = PolicyLambda(p)
events = p_lambda.get_events(factory)
self.assertEqual(
json.loads(events[0].render_event_pattern()),
{'source': ['aws.health']}
)
def test_cwe_trail(self):
session_factory = self.replay_flight_data("test_cwe_trail", zdata=True)
p = self.load_policy(
{
"resource":
"s3",
"name":
"s3-bucket-policy",
"mode": {
"type": "cloudtrail",
"events": ["CreateBucket"]
},
"filters": [{
"type": "missing-policy-statement",
"statement_ids": ["RequireEncryptedPutObject"],
}],
"actions": ["no-op"]
},
session_factory=session_factory)
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
self.addCleanup(mgr.remove, pl)
result = mgr.publish(pl, "Dev", role=ROLE)
events = pl.get_events(session_factory)
self.assertEqual(len(events), 1)
event = events.pop()
self.assertEqual(
json.loads(event.render_event_pattern()),
{
u"detail": {
u"eventName": [u"CreateBucket"],
u"eventSource": [u"s3.amazonaws.com"],
},
u"detail-type": ["AWS API Call via CloudTrail"],
},
)
self.assert_items(
result,
{
"Description": "cloud-custodian lambda policy",
"FunctionName": "custodian-s3-bucket-policy",
"Handler": "custodian_policy.run",
"MemorySize": 512,
"Runtime": "python2.7",
"Timeout": 60,
},
)
def test_cwe_trail(self):
session_factory = self.replay_flight_data("test_cwe_trail", zdata=True)
p = Policy(
{
"resource": "s3",
"name": "s3-bucket-policy",
"mode": {"type": "cloudtrail", "events": ["CreateBucket"]},
"filters": [
{
"type": "missing-policy-statement",
"statement_ids": ["RequireEncryptedPutObject"],
}
],
"actions": ["no-op"],
},
Config.empty(),
)
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
self.addCleanup(mgr.remove, pl)
result = mgr.publish(pl, "Dev", role=ROLE)
events = pl.get_events(session_factory)
self.assertEqual(len(events), 1)
event = events.pop()
self.assertEqual(
json.loads(event.render_event_pattern()),
{
u"detail": {
u"eventName": [u"CreateBucket"],
u"eventSource": [u"s3.amazonaws.com"],
},
u"detail-type": ["AWS API Call via CloudTrail"],
},
)
self.assert_items(
result,
{
"Description": "cloud-custodian lambda policy",
"FunctionName": "custodian-s3-bucket-policy",
"Handler": "custodian_policy.run",
"MemorySize": 512,
"Runtime": "python2.7",
"Timeout": 60,
},
)
def test_phd_mode_account(self):
factory = self.replay_flight_data('test_phd_event_account')
p = self.load_policy(
{'name': 'ec2-retire',
'resource': 'account',
'mode': {
'categories': ['issue', 'scheduledChange'],
'statuses': ['open', 'upcoming'],
'type': 'phd'}}, session_factory=factory)
p_lambda = PolicyLambda(p)
events = p_lambda.get_events(factory)
self.assertEqual(
json.loads(events[0].render_event_pattern()),
{'detail': {
'eventTypeCategory': ['issue', 'scheduledChange']},
'source': ['aws.health']}
)
def test_cwe_trail(self):
session_factory = self.replay_flight_data('test_cwe_trail', zdata=True)
p = Policy(
{
'resource':
's3',
'name':
's3-bucket-policy',
'mode': {
'type': 'cloudtrail',
'events': ["CreateBucket"],
},
'filters': [{
'type': 'missing-policy-statement',
'statement_ids': ['RequireEncryptedPutObject']
}],
'actions': ['no-op']
}, Config.empty())
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
result = mgr.publish(pl, 'Dev', role=self.role)
events = pl.get_events(session_factory)
self.assertEqual(len(events), 1)
event = events.pop()
self.assertEqual(
json.loads(event.render_event_pattern()), {
u'detail': {
u'eventName': [u'CreateBucket'],
u'eventSource': [u's3.amazonaws.com']
},
u'detail-type': ['AWS API Call via CloudTrail']
})
self.assert_items(
result, {
'Description': 'cloud-custodian lambda policy',
'FunctionName': 'custodian-s3-bucket-policy',
'Handler': 'custodian_policy.run',
'MemorySize': 512,
'Runtime': 'python2.7',
'Timeout': 60
})
mgr.remove(pl)
def test_user_pattern_merge(self):
p = self.load_policy({
'name': 'ec2-retire',
'resource': 'ec2',
'mode': {
'type': 'cloudtrail',
'pattern': {
'detail': {
'userIdentity': {
'userName': [{'anything-but': 'deputy'}]}}},
'events': [{
'ids': 'responseElements.subnet.subnetId',
'source': 'ec2.amazonaws.com',
'event': 'CreateSubnet'}]}})
p_lambda = PolicyLambda(p)
events = p_lambda.get_events(None)
self.assertEqual(
json.loads(events[0].render_event_pattern()),
{'detail': {'eventName': ['CreateSubnet'],
'eventSource': ['ec2.amazonaws.com'],
'userIdentity': {'userName': [{'anything-but': 'deputy'}]}},
'detail-type': ['AWS API Call via CloudTrail']})
def test_phd_mode(self):
factory = self.replay_flight_data('test_phd_event_mode')
p = self.load_policy(
{'name': 'ec2-retire',
'resource': 'ec2',
'mode': {
'categories': ['scheduledChange'],
'events': ['AWS_EC2_PERSISTENT_INSTANCE_RETIREMENT_SCHEDULED'],
'type': 'phd'}}, session_factory=factory)
mode = p.get_execution_mode()
event = event_data('event-phd-ec2-retire.json')
resources = mode.run(event, None)
self.assertEqual(len(resources), 1)
p_lambda = PolicyLambda(p)
events = p_lambda.get_events(factory)
self.assertEqual(
json.loads(events[0].render_event_pattern()),
{'detail': {
'eventTypeCategory': ['scheduledChange'],
'eventTypeCode': ['AWS_EC2_PERSISTENT_INSTANCE_RETIREMENT_SCHEDULED']},
'source': ['aws.health']}
)
def test_cwe_trail(self):
session_factory = self.replay_flight_data('test_cwe_trail', zdata=True)
p = Policy({
'resource': 's3',
'name': 's3-bucket-policy',
'mode': {
'type': 'cloudtrail',
'events': ["CreateBucket"],
},
'filters': [
{'type': 'missing-policy-statement',
'statement_ids': ['RequireEncryptedPutObject']}],
'actions': ['no-op']
}, Config.empty())
pl = PolicyLambda(p)
mgr = LambdaManager(session_factory)
result = mgr.publish(pl, 'Dev', role=self.role)
events = pl.get_events(session_factory)
self.assertEqual(len(events), 1)
event = events.pop()
self.assertEqual(
json.loads(event.render_event_pattern()),
{u'detail': {u'eventName': [u'CreateBucket'],
u'eventSource': [u'aws.s3']},
u'detail-type': ['AWS API Call via CloudTrail']})
self.assert_items(
result,
{'Description': 'cloud-custodian lambda policy',
'FunctionName': 'custodian-s3-bucket-policy',
'Handler': 'custodian_policy.run',
'MemorySize': 512,
'Runtime': 'python2.7',
'Timeout': 60})
mgr.remove(pl)
