upd: update policy 058 to be supported by open source Cloud Custodian

epam · Sep 23, 2024 · 1a04e97 · 1a04e97
1 parent 35cc402
commit 1a04e97
Show file tree

Hide file tree

Showing 13 changed files with 153 additions and 73 deletions.
diff --git a/..._support_role_created_to_manage_incidents/placebo-red/iam.ListAttachedRolePolicies_1.json b/..._support_role_created_to_manage_incidents/placebo-red/iam.ListAttachedRolePolicies_1.json
diff --git a/...ible/tests/ecc-aws-058-ensure_support_role_created_to_manage_incidents/red_policy_test.py b/...ible/tests/ecc-aws-058-ensure_support_role_created_to_manage_incidents/red_policy_test.py
diff --git a/...port_role_created_to_manage_incidents.yml → ...port_role_created_to_manage_incidents.yml b/...port_role_created_to_manage_incidents.yml → ...port_role_created_to_manage_incidents.yml
@@ -11,5 +11,9 @@ policies:
       Support role has not been created to manage incidents with AWS Support
     resource: aws.account
     filters:
-      - type: account-iam-role-light-filter
-        value: AWSSupportAccess
+      - type: missing
+        policy:
+          resource: aws.iam-role
+          filters:
+            - type: has-specific-managed-policy
+              value: AWSSupportAccess
diff --git a/terraform/ecc-aws-058-ensure_support_role_created_to_manage_incidents/iam/058-policy.json b/terraform/ecc-aws-058-ensure_support_role_created_to_manage_incidents/iam/058-policy.json
@@ -5,10 +5,11 @@
             "Effect": "Allow",
             "Action": [
                 "iam:ListRoles",
-                "iam:ListAttachedRolePolicies",
-                "iam:ListAccountAliases"
+                "iam:ListAccountAliases",
+                "iam:GetRole",
+                "iam:ListAttachedRolePolicies"
             ],
             "Resource": "*"
         }
     ]
-}
+}
diff --git a/...-aws-058-ensure_support_role_created_to_manage_incidents/placebo-green/iam.GetRole_1.json b/...-aws-058-ensure_support_role_created_to_manage_incidents/placebo-green/iam.GetRole_1.json
@@ -0,0 +1,31 @@
+{
+    "status_code": 200,
+    "data": {
+        "Role": {
+            "Path": "/",
+            "RoleName": "058_role_green",
+            "RoleId": "AROAXPHGII4ACAVF4JECQ",
+            "Arn": "arn:aws:iam::111111111111:role/058_role_green",
+            "CreateDate": {
+                "__class__": "datetime",
+                "year": 2024,
+                "month": 9,
+                "day": 23,
+                "hour": 18,
+                "minute": 49,
+                "second": 31,
+                "microsecond": 0
+            },
+            "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22cloudtrail.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D",
+            "MaxSessionDuration": 3600,
+            "Tags": [
+                {
+                    "Key": "ComplianceStatus",
+                    "Value": "Green"
+                }
+            ],
+            "RoleLastUsed": {}
+        },
+        "ResponseMetadata": {}
+    }
+}
diff --git a/...acebo-green/iam.ListAccountAliases_1.json → ...acebo-green/iam.ListAccountAliases_1.json b/...acebo-green/iam.ListAccountAliases_1.json → ...acebo-green/iam.ListAccountAliases_1.json
@@ -2,7 +2,7 @@
     "status_code": 200,
     "data": {
         "AccountAliases": [
-            "epmcsec-lab10"
+            "test"
         ],
         "IsTruncated": false,
         "ResponseMetadata": {}

diff --git a/...green/iam.ListAttachedRolePolicies_1.json → ...green/iam.ListAttachedRolePolicies_1.json b/...green/iam.ListAttachedRolePolicies_1.json → ...green/iam.ListAttachedRolePolicies_1.json
diff --git a/...idents/placebo-green/iam.ListRoles_1.json → ...idents/placebo-green/iam.ListRoles_1.json b/...idents/placebo-green/iam.ListRoles_1.json → ...idents/placebo-green/iam.ListRoles_1.json
@@ -1,27 +1,27 @@
-{
-    "status_code": 200,
-    "data": {
-        "Roles": [
-            {
-                "Path": "/",
-                "RoleName": "058_role_green",
-                "RoleId": "AROAXPHGII4AIEXNYHONO",
-                "Arn": "arn:aws:iam::644160558196:role/058_role_green",
-                "CreateDate": {
-                    "__class__": "datetime",
-                    "year": 2022,
-                    "month": 2,
-                    "day": 15,
-                    "hour": 8,
-                    "minute": 10,
-                    "second": 18,
-                    "microsecond": 0
-                },
-                "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22AWS%22%3A%22arn%3Aaws%3Aiam%3A%3A513731479296%3Aroot%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D",
-                "MaxSessionDuration": 3600
-            }
-        ],
-        "IsTruncated": false,
-        "ResponseMetadata": {}
-    }
+{
+    "status_code": 200,
+    "data": {
+        "Roles": [
+            {
+                "Path": "/",
+                "RoleName": "058_role_green",
+                "RoleId": "AROAXPHGII4ACAVF4JECQ",
+                "Arn": "arn:aws:iam::111111111111:role/058_role_green",
+                "CreateDate": {
+                    "__class__": "datetime",
+                    "year": 2024,
+                    "month": 9,
+                    "day": 23,
+                    "hour": 18,
+                    "minute": 49,
+                    "second": 31,
+                    "microsecond": 0
+                },
+                "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22cloudtrail.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D",
+                "MaxSessionDuration": 3600
+            }
+        ],
+        "IsTruncated": false,
+        "ResponseMetadata": {}
+    }
 }
diff --git a/...cc-aws-058-ensure_support_role_created_to_manage_incidents/placebo-red/iam.GetRole_1.json b/...cc-aws-058-ensure_support_role_created_to_manage_incidents/placebo-red/iam.GetRole_1.json
@@ -0,0 +1,35 @@
+{
+    "status_code": 200,
+    "data": {
+        "Role": {
+            "Path": "/",
+            "RoleName": "058_role_red",
+            "RoleId": "AROAXPHGII4AMILI3XT3L",
+            "Arn": "arn:aws:iam::111111111111:role/058_role_red",
+            "CreateDate": {
+                "__class__": "datetime",
+                "year": 2024,
+                "month": 9,
+                "day": 23,
+                "hour": 18,
+                "minute": 53,
+                "second": 12,
+                "microsecond": 0
+            },
+            "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Sid%22%3A%22%22%2C%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22AWS%22%3A%22arn%3Aaws%3Aiam%3A%3A876320341958%3Aroot%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D",
+            "MaxSessionDuration": 3600,
+            "Tags": [
+                {
+                    "Key": "ComplianceStatus",
+                    "Value": "Red"
+                },
+                {
+                    "Key": "CustodianRule",
+                    "Value": "ecc-aws-058-ensure_support_role_created_to_manage_incidents"
+                }
+            ],
+            "RoleLastUsed": {}
+        },
+        "ResponseMetadata": {}
+    }
+}
diff --git a/...placebo-red/iam.ListAccountAliases_1.json → ...placebo-red/iam.ListAccountAliases_1.json b/...placebo-red/iam.ListAccountAliases_1.json → ...placebo-red/iam.ListAccountAliases_1.json
@@ -2,7 +2,7 @@
     "status_code": 200,
     "data": {
         "AccountAliases": [
-            "epmcsec-lab10"
+            "test"
         ],
         "IsTruncated": false,
         "ResponseMetadata": {}

diff --git a/..._support_role_created_to_manage_incidents/placebo-red/iam.ListAttachedRolePolicies_1.json b/..._support_role_created_to_manage_incidents/placebo-red/iam.ListAttachedRolePolicies_1.json
@@ -0,0 +1,17 @@
+{
+    "status_code": 200,
+    "data": {
+        "AttachedPolicies": [
+            {
+                "PolicyName": "AmazonSSMManagedInstanceCore",
+                "PolicyArn": "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+            },
+            {
+                "PolicyName": "AmazonSSMPatchAssociation",
+                "PolicyArn": "arn:aws:iam::aws:policy/AmazonSSMPatchAssociation"
+            }
+        ],
+        "IsTruncated": false,
+        "ResponseMetadata": {}
+    }
+}
diff --git a/...ncidents/placebo-red/iam.ListRoles_1.json → ...ncidents/placebo-red/iam.ListRoles_1.json b/...ncidents/placebo-red/iam.ListRoles_1.json → ...ncidents/placebo-red/iam.ListRoles_1.json
@@ -1,27 +1,27 @@
-{
-    "status_code": 200,
-    "data": {
-        "Roles": [
-            {
-                "Path": "/",
-                "RoleName": "058_role_red",
-                "RoleId": "AROAXPHGII4ACZPPSRNFM",
-                "Arn": "arn:aws:iam::644160558196:role/058_role_red",
-                "CreateDate": {
-                    "__class__": "datetime",
-                    "year": 2022,
-                    "month": 2,
-                    "day": 15,
-                    "hour": 8,
-                    "minute": 0,
-                    "second": 7,
-                    "microsecond": 0
-                },
-                "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Sid%22%3A%22%22%2C%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22AWS%22%3A%22arn%3Aaws%3Aiam%3A%3A513731479296%3Aroot%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D",
-                "MaxSessionDuration": 3600
-            }
-        ],
-        "IsTruncated": false,
-        "ResponseMetadata": {}
-    }
+{
+    "status_code": 200,
+    "data": {
+        "Roles": [
+            {
+                "Path": "/",
+                "RoleName": "058_role_red",
+                "RoleId": "AROAXPHGII4AMILI3XT3L",
+                "Arn": "arn:aws:iam::111111111111:role/058_role_red",
+                "CreateDate": {
+                    "__class__": "datetime",
+                    "year": 2024,
+                    "month": 9,
+                    "day": 23,
+                    "hour": 18,
+                    "minute": 53,
+                    "second": 12,
+                    "microsecond": 0
+                },
+                "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Sid%22%3A%22%22%2C%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22AWS%22%3A%22arn%3Aaws%3Aiam%3A%3A876320341958%3Aroot%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D",
+                "MaxSessionDuration": 3600
+            }
+        ],
+        "IsTruncated": false,
+        "ResponseMetadata": {}
+    }
 }
diff --git a/tests/ecc-aws-058-ensure_support_role_created_to_manage_incidents/red_policy_test.py b/tests/ecc-aws-058-ensure_support_role_created_to_manage_incidents/red_policy_test.py
@@ -0,0 +1,6 @@
+class PolicyTest(object):
+
+    def test_resources_with_client(self, base_test, resources, local_session):
+        base_test.assertEqual(len(resources), 1)
+        iam = local_session.client("iam").list_attached_role_policies(RoleName = "058_role_red")
+        base_test.assertNotIn("arn:aws:iam::aws:policy/AWSSupportAccess" ,iam["AttachedPolicies"][0]["PolicyArn"])