Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updates needed to fully support the CIS AWS Foundations Benchmark v2.0.0 #981

Draft
wants to merge 93 commits into
base: main
Choose a base branch
from

Conversation

aaronlippold
Copy link

@aaronlippold aaronlippold commented Nov 14, 2023

Description

General updates, fixes and new resources to the resource pack to support the cis-aws-foundations-v2 benchmark.

  • Add a resource for the aws-iam-credential-report endpoint

  • Add a resources for the aws-accounts-endpoint (primary, billing, security and operations)

  • Add Resource For AWS Macie2 (Related Updated Deps for All Gems train-aws#519)

  • Updates to aws_s3_bucket

    • Add prevent_public_access_by_account? using current aws-sdk-s3control v 1.77 working gem (Related Updated Deps for All Gems train-aws#519)
    • added missing docs on prevent_public_access
    • added alias of prevent_public_access as preventing_public_access_via_bucket for readability.
    • added alias of prevent_public_access_by_account as preventing_public_access_by_account for readability.
    • removed redudent call to catch_aws_errors to API call given we are handling the exceptions in the matcher.
  • Correct errors in the iam_policy documentation

  • Fix docs/example for IAM Users (it's currently the one from IAM User)

  • Fix the resource_id and to_s functions for cloud watch log metric filter so that it handles the case when there are no metric filters

  • Fix iam_access_keys

Current Resource Pack Errors

Likely mishandled exceptions missing from aws_backend and or catch_aws_errors

  • if possible, address / resolve the following warnings
    • [2023-11-14T11:23:01-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User emailoctopus cannot be found.. You should address this error to ensure your controls are behaving as expected.

    • [2023-11-14T11:23:02-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User inspec_aws cannot be found.. You should address this error to ensure your controls are behaving as expected.

    • [2023-11-14T11:23:02-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User ses-smtp-user.20191012-150745 cannot be found.. You should address this error to ensure your controls are behaving as expected.

    • [2023-11-14T11:23:29-05:00] WARN: AWS IAM Credential Report still being generated - attempt 1/5.

    • [2023-11-14T11:25:12-05:00] WARN: No contact of the inputted alternate contact type found.

    • [2023-11-14T11:25:12-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_password_policy. Error message: The Password Policy with domain name 916481805664 cannot be found.. You should address this error to ensure your controls are behaving as expected.

    • [2023-11-14T11:25:12-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_password_policy. Error message: The Password Policy with domain name 916481805664 cannot be found.. You should address this error to ensure your controls are behaving as expected.


### Check List
Please fill box or appropriate ([x]) or mark N/A.
- [x] New functionality includes integration tests/controls
- [ ] New Terraform resources
- [ ] Documentation provided or updated for resources 
- [ ] All Integration Tests pass
- [ ] All Unit Tests pass
- [ ] `rake lint` passes
- [x] All commits have been signed-off for the Developer Certificate of Origin. See <https://github.com/chef/chef/blob/master/CONTRIBUTING.md#developer-certification-of-origin-dco>

Signed-off-by: Aaron Lippold <lippold@gmail.com>
@aaronlippold aaronlippold requested a review from a team as a code owner November 14, 2023 14:48
Copy link

netlify bot commented Nov 14, 2023

Deploy Preview for inspec-aws canceled.

Name Link
🔨 Latest commit 0c0280c
🔍 Latest deploy log https://app.netlify.com/sites/inspec-aws/deploys/65a1481fe449f900080b7e8a

@aaronlippold aaronlippold changed the title Recreating #977 on a fresh pull from main Recreating #971 on a fresh pull from main Nov 14, 2023
Signed-off-by: Aaron Lippold <lippold@gmail.com>
@aaronlippold aaronlippold marked this pull request as draft November 14, 2023 16:28
* Fixed error collection in constructor to not incorrectly fail
* Updated warning message to not add extra '.' in outputs

Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
- added documenation for all four resources
- added an alias for `configured?` to point to `exist?`

Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
@aaronlippold aaronlippold changed the title Recreating #971 on a fresh pull from main Updates to the resource pack to add aws-account resources, updates to aws-iam-access-key Nov 18, 2023
aaronlippold and others added 15 commits November 18, 2023 11:44
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added the aws-alternate-contact resource
* updated and standardized coding for security, billing and operations
  resources
* added documentation for the aws-alternate-contact resource

Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Need to add region as a optional pram to the constructor

Signed-off-by: Aaron Lippold <lippold@gmail.com>
- added aws_iam_access_analyzers plural resource
- updated aws_regions and aws_region to expose opt_in data
- update aws_regions(s) docs

Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
- removed unneeded aws_region update of clint args
- made feedback on allowed account types more direct
- failed fast on param errors

Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
aaronlippold and others added 23 commits December 9, 2023 21:12
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
…y easier test writing

Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Will Dower <wdow95@hotmail.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
… updated monitored? method to work better with lists of buckets

Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
…vent selectors

Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
wdower and others added 5 commits December 21, 2023 16:38
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
…ically does it for us anywhay

Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <will@dower.dev>
@aaronlippold
Copy link
Author

This needs to be cleaned up and documented so we can make a PR to chef to get it off our plate

@wdower

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants