From f17b5704f61cc0107b3ff86a8327f15a8f7fcc94 Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Wed, 5 Jul 2023 13:56:18 +0300 Subject: [PATCH] new_rules_from_sprint --- iam/All-permissions.json | 3 + ...ser_for_administrative_and_daily_tasks.yml | 25 +++--- ...-aws-914-waf_regional_webacl_not_empty.yml | 16 ++++ ...c-aws-964-glue_job_autoscaling_enabled.yml | 20 +++++ ...cc-aws-968-cloudtrail_delivery_failing.yml | 16 ++++ ...function_state_machine_logging_enabled.yml | 16 ++++ .../green/provider.tf | 20 +++++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 +++ .../green/waf.tf | 81 +++++++++++++++++++ .../iam/914-policy.json | 15 ++++ .../red/provider.tf | 20 +++++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 +++ .../red/waf.tf | 8 ++ .../green/glue.tf | 11 +++ .../green/iam.tf | 40 +++++++++ .../green/provider.tf | 20 +++++ .../green/s3.tf | 21 +++++ .../green/script.py | 44 ++++++++++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 +++ .../iam/964-policy.json | 14 ++++ .../red/glue.tf | 9 +++ .../red/iam.tf | 40 +++++++++ .../red/provider.tf | 20 +++++ .../red/s3.tf | 21 +++++ .../red/script.py | 44 ++++++++++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 +++ .../green/cloudtrail.tf | 16 ++++ .../green/iam.tf | 31 +++++++ .../green/provider.tf | 20 +++++ .../green/s3.tf | 10 +++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 +++ .../iam/968-policy.json | 14 ++++ .../red/cloudtrail.tf | 12 +++ .../red/iam.tf | 58 +++++++++++++ .../red/provider.tf | 20 +++++ .../red/s3.tf | 20 +++++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 +++ .../green/cloudwatch.tf | 3 + .../green/iam.tf | 73 +++++++++++++++++ .../green/lambda.tf | 14 ++++ .../green/provider.tf | 20 +++++ .../green/stepfunction.tf | 24 ++++++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 +++ .../green/welcome.py | 25 ++++++ .../iam/969-policy.json | 14 ++++ .../red/cloudwatch.tf | 3 + .../red/iam.tf | 73 +++++++++++++++++ .../red/lambda.tf | 14 ++++ .../red/provider.tf | 20 +++++ .../red/stepfunction.tf | 18 +++++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 +++ .../red/welcome.py | 25 ++++++ .../green_policy_test.py | 7 ++ .../iam.GetCredentialReport_1.json | 14 ++-- .../iam.ListAccountAliases_1.json | 4 +- .../iam.GenerateCredentialReport_1.json | 8 -- .../iam.GetCredentialReport_1.json | 12 +-- .../placebo-red/iam.ListAccountAliases_1.json | 4 +- .../red_policy_test.py | 12 ++- .../placebo-green/tagging.GetResources_1.json | 35 ++++++++ .../waf-regional.GetWebACL_1.json | 25 ++++++ .../waf-regional.GetWebACL_2.json | 25 ++++++ .../waf-regional.ListWebACLs_1.json | 17 ++++ .../placebo-red/tagging.GetResources_1.json | 22 +++++ .../placebo-red/waf-regional.GetWebACL_1.json | 16 ++++ .../waf-regional.ListWebACLs_1.json | 13 +++ .../red_policy_test.py | 5 ++ .../placebo-green/glue.GetJobs_1.json | 50 ++++++++++++ .../placebo-green/tagging.GetResources_1.json | 22 +++++ .../placebo-red/glue.GetJobs_1.json | 47 +++++++++++ .../placebo-red/tagging.GetResources_1.json | 22 +++++ .../red_policy_test.py | 5 ++ .../cloudtrail.DescribeTrails_1.json | 21 +++++ .../cloudtrail.GetTrailStatus_1.json | 23 ++++++ .../placebo-green/tagging.GetResources_1.json | 22 +++++ .../cloudtrail.DescribeTrails_1.json | 21 +++++ .../cloudtrail.GetTrailStatus_1.json | 34 ++++++++ .../placebo-red/tagging.GetResources_1.json | 22 +++++ .../red_policy_test.py | 5 ++ .../states.DescribeStateMachine_1.json | 36 +++++++++ .../states.ListStateMachines_1.json | 23 ++++++ .../placebo-green/tagging.GetResources_1.json | 22 +++++ .../states.DescribeStateMachine_1.json | 36 +++++++++ .../states.ListStateMachines_1.json | 23 ++++++ .../placebo-red/tagging.GetResources_1.json | 22 +++++ .../red_policy_test.py | 5 ++ 94 files changed, 1774 insertions(+), 45 deletions(-) create mode 100644 policies/ecc-aws-914-waf_regional_webacl_not_empty.yml create mode 100644 policies/ecc-aws-964-glue_job_autoscaling_enabled.yml create mode 100644 policies/ecc-aws-968-cloudtrail_delivery_failing.yml create mode 100644 policies/ecc-aws-969-step_function_state_machine_logging_enabled.yml create mode 100644 terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/provider.tf create mode 100644 terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/terraform.tfvars create mode 100644 terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/variables.tf create mode 100644 terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/waf.tf create mode 100644 terraform/ecc-aws-914-waf_regional_webacl_not_empty/iam/914-policy.json create mode 100644 terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/provider.tf create mode 100644 terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/terraform.tfvars create mode 100644 terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/variables.tf create mode 100644 terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/waf.tf create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/glue.tf create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/iam.tf create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/provider.tf create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/s3.tf create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/script.py create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/terraform.tfvars create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/variables.tf create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/iam/964-policy.json create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/red/glue.tf create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/red/iam.tf create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/red/provider.tf create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/red/s3.tf create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/red/script.py create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/red/terraform.tfvars create mode 100644 terraform/ecc-aws-964-glue_job_autoscaling_enabled/red/variables.tf create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/green/cloudtrail.tf create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/green/iam.tf create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/green/provider.tf create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/green/s3.tf create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/green/terraform.tfvars create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/green/variables.tf create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/iam/968-policy.json create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/red/cloudtrail.tf create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/red/iam.tf create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/red/provider.tf create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/red/s3.tf create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/red/terraform.tfvars create mode 100644 terraform/ecc-aws-968-cloudtrail_delivery_failing/red/variables.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/green/cloudwatch.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/green/iam.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/green/lambda.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/green/provider.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/green/stepfunction.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/green/terraform.tfvars create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/green/variables.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/green/welcome.py create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/iam/969-policy.json create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/red/cloudwatch.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/red/iam.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/red/lambda.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/red/provider.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/red/stepfunction.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/red/terraform.tfvars create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/red/variables.tf create mode 100644 terraform/ecc-aws-969-step_function_state_machine_logging_enabled/red/welcome.py create mode 100644 tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/green_policy_test.py delete mode 100644 tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.GenerateCredentialReport_1.json create mode 100644 tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.GetWebACL_1.json create mode 100644 tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.GetWebACL_2.json create mode 100644 tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.ListWebACLs_1.json create mode 100644 tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/waf-regional.GetWebACL_1.json create mode 100644 tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/waf-regional.ListWebACLs_1.json create mode 100644 tests/ecc-aws-914-waf_regional_webacl_not_empty/red_policy_test.py create mode 100644 tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-green/glue.GetJobs_1.json create mode 100644 tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-green/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-red/glue.GetJobs_1.json create mode 100644 tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-red/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-964-glue_job_autoscaling_enabled/red_policy_test.py create mode 100644 tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/cloudtrail.DescribeTrails_1.json create mode 100644 tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/cloudtrail.GetTrailStatus_1.json create mode 100644 tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/cloudtrail.DescribeTrails_1.json create mode 100644 tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/cloudtrail.GetTrailStatus_1.json create mode 100644 tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-968-cloudtrail_delivery_failing/red_policy_test.py create mode 100644 tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/states.DescribeStateMachine_1.json create mode 100644 tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/states.ListStateMachines_1.json create mode 100644 tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/states.DescribeStateMachine_1.json create mode 100644 tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/states.ListStateMachines_1.json create mode 100644 tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-969-step_function_state_machine_logging_enabled/red_policy_test.py diff --git a/iam/All-permissions.json b/iam/All-permissions.json index c17ab59a6..fcf35dd1e 100644 --- a/iam/All-permissions.json +++ b/iam/All-permissions.json @@ -199,10 +199,13 @@ "sqs:ListQueues", "ssm:DescribeInstanceInformation", "ssm:ListResourceComplianceSummaries", + "states:DescribeStateMachine", + "states:ListStateMachine", "tag:GetResources", "tagging:GetResources", "waf-regional:ListResourcesForWebACL", "waf-regional:ListWebACLs", + "waf-regional:GetWebACL", "waf:GetWebACL", "waf:ListWebACLs", "workspaces:DescribeWorkspaceDirectories", diff --git a/policies/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks.yml b/policies/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks.yml index 0d26d1769..3489f83ad 100644 --- a/policies/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks.yml +++ b/policies/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks.yml @@ -12,18 +12,13 @@ policies: Root user is used for administrative and daily tasks filters: - or: - - and: - - type: credential - key: access_keys.active - value: true - - type: credential - key: access_keys.last_used_date - value: present - - - and: - - type: credential - key: password_enabled - value: true - - type: credential - key: password_last_used - value: present \ No newline at end of file + - type: credential + key: password_last_used + op: less-than + value_type: age + value: 90 + - type: credential + key: access_keys.last_used_date + op: less-than + value_type: age + value: 90 \ No newline at end of file diff --git a/policies/ecc-aws-914-waf_regional_webacl_not_empty.yml b/policies/ecc-aws-914-waf_regional_webacl_not_empty.yml new file mode 100644 index 000000000..ccd6b59e9 --- /dev/null +++ b/policies/ecc-aws-914-waf_regional_webacl_not_empty.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-914-waf_regional_webacl_not_empty + description: | + A WAF Classic Regional web ACL does not have at least one rule or rule group + resource: aws.waf-regional + filters: + - type: value + key: Rules + value: empty \ No newline at end of file diff --git a/policies/ecc-aws-964-glue_job_autoscaling_enabled.yml b/policies/ecc-aws-964-glue_job_autoscaling_enabled.yml new file mode 100644 index 000000000..20d3c88ee --- /dev/null +++ b/policies/ecc-aws-964-glue_job_autoscaling_enabled.yml @@ -0,0 +1,20 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-964-glue_job_autoscaling_enabled + description: | + Amazon Glue Job with disabled autoscaling + resource: aws.glue-job + filters: + - or: + - type: value + key: DefaultArguments."--enable-auto-scaling" + value: absent + - type: value + key: DefaultArguments."--enable-auto-scaling" + value: "false" \ No newline at end of file diff --git a/policies/ecc-aws-968-cloudtrail_delivery_failing.yml b/policies/ecc-aws-968-cloudtrail_delivery_failing.yml new file mode 100644 index 000000000..fbb926889 --- /dev/null +++ b/policies/ecc-aws-968-cloudtrail_delivery_failing.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-968-cloudtrail_delivery_failing + description: | + CloudTrail logs delivery failing + resource: aws.cloudtrail + filters: + - type: status + key: LatestDeliveryError + value: present \ No newline at end of file diff --git a/policies/ecc-aws-969-step_function_state_machine_logging_enabled.yml b/policies/ecc-aws-969-step_function_state_machine_logging_enabled.yml new file mode 100644 index 000000000..68ad71af7 --- /dev/null +++ b/policies/ecc-aws-969-step_function_state_machine_logging_enabled.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-969-step_function_state_machine_logging_enabled + description: | + AWS Step Function State Machine logging is disabled + resource: aws.step-machine + filters: + - type: value + key: loggingConfiguration.level + value: 'OFF' diff --git a/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/provider.tf b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/provider.tf new file mode 100644 index 000000000..aa5b5122c --- /dev/null +++ b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-914-waf_regional_webacl_not_empty" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/terraform.tfvars b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/variables.tf b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/waf.tf b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/waf.tf new file mode 100644 index 000000000..2b8abc1d3 --- /dev/null +++ b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/waf.tf @@ -0,0 +1,81 @@ +resource "aws_wafregional_ipset" "this" { + name = "914_ipset_green" + + ip_set_descriptor { + type = "IPV4" + value = "1.1.1.0/24" + } +} + +resource "aws_wafregional_rule" "this" { + name = "914_waf_rule_green" + metric_name = "914WafRuleMetricGreen" + + predicate { + data_id = aws_wafregional_ipset.this.id + negated = false + type = "IPMatch" + } + depends_on = [aws_wafregional_ipset.this] +} + +resource "aws_wafregional_rule_group" "this" { + name = "914_waf_rule_group_green" + metric_name = "914WafRuleGroupMetricGreen" + + activated_rule { + action { + type = "ALLOW" + } + + priority = 1 + rule_id = aws_wafregional_rule.this.id + } +} + +resource "aws_wafregional_web_acl" "this" { + name = "914_webacl_green" + metric_name = "914WebaclMetricGreen" + + default_action { + type = "ALLOW" + } + + rule { + override_action { + type = "NONE" + } + priority = 1 + rule_id = aws_wafregional_rule_group.this.id + type = "GROUP" + } + + depends_on = [ + aws_wafregional_ipset.this, + aws_wafregional_rule_group.this, + ] +} + +resource "aws_wafregional_web_acl" "this2" { + name = "914_webacl_green2" + metric_name = "914WebaclMetricGreen2" + + default_action { + type = "ALLOW" + } + + rule { + action { + type = "ALLOW" + } + + priority = 1 + rule_id = aws_wafregional_rule.this.id + type = "REGULAR" + } + + depends_on = [ + aws_wafregional_ipset.this, + aws_wafregional_rule.this, + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-914-waf_regional_webacl_not_empty/iam/914-policy.json b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/iam/914-policy.json new file mode 100644 index 000000000..a99c2eb47 --- /dev/null +++ b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/iam/914-policy.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "waf-regional:ListWebACLs", + "waf-regional:GetWebACL", + "tag:GetResources" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/provider.tf b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/provider.tf new file mode 100644 index 000000000..0a4204f32 --- /dev/null +++ b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-914-waf_regional_webacl_not_empty" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/terraform.tfvars b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/variables.tf b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/waf.tf b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/waf.tf new file mode 100644 index 000000000..bad270330 --- /dev/null +++ b/terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/waf.tf @@ -0,0 +1,8 @@ +resource "aws_wafregional_web_acl" "this" { + name = "914_webacl_red" + metric_name = "914WebaclMetricRed" + + default_action { + type = "ALLOW" + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/glue.tf b/terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/glue.tf new file mode 100644 index 000000000..05ea4dc34 --- /dev/null +++ b/terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/glue.tf @@ -0,0 +1,11 @@ +resource "aws_glue_job" "this" { + name = "964_glue_job_green" + role_arn = aws_iam_role.this.arn + glue_version = "4.0" + default_arguments = { + "--enable-auto-scaling" = "true" + } + command { + script_location = "s3://${aws_s3_bucket.this.bucket}/script" + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/iam.tf b/terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/iam.tf new file mode 100644 index 000000000..64041b567 --- /dev/null +++ b/terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/iam.tf @@ -0,0 +1,40 @@ +resource "aws_iam_role" "this" { + name = "964_role_green" + assume_role_policy = <,arn:aws:iam::121212121212:root,2020-12-01T10:46:12+00:00,not_supported,no_information,not_supported,not_supported,false,false,N/A,N/A,N/A,N/A,false,N/A,N/A,N/A,N/A,false,N/A,false,N/A", + "Content": "user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated\n,arn:aws:iam::111111111111:root,2023-04-23T15:30:12+00:00,not_supported,2023-02-19T14:32:56+00:00,not_supported,not_supported,true,false,N/A,N/A,N/A,N/A,false,N/A,N/A,N/A,N/A,false,N/A,false,N/A", "ReportFormat": "text/csv", "GeneratedTime": { "__class__": "datetime", - "year": 2021, - "month": 5, - "day": 6, - "hour": 11, - "minute": 28, - "second": 55, + "year": 2023, + "month": 6, + "day": 22, + "hour": 7, + "minute": 3, + "second": 33, "microsecond": 0 }, "ResponseMetadata": {} diff --git a/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-green/iam.ListAccountAliases_1.json b/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-green/iam.ListAccountAliases_1.json index 3b408e3eb..384ece3f3 100644 --- a/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-green/iam.ListAccountAliases_1.json +++ b/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-green/iam.ListAccountAliases_1.json @@ -1,9 +1,7 @@ { "status_code": 200, "data": { - "AccountAliases": [ - "test" - ], + "AccountAliases": [], "IsTruncated": false, "ResponseMetadata": {} } diff --git a/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.GenerateCredentialReport_1.json b/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.GenerateCredentialReport_1.json deleted file mode 100644 index 9abcdb973..000000000 --- a/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.GenerateCredentialReport_1.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "status_code": 200, - "data": { - "State": "STARTED", - "Description": "No report exists. Starting a new report generation task", - "ResponseMetadata": {} - } -} \ No newline at end of file diff --git a/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.GetCredentialReport_1.json b/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.GetCredentialReport_1.json index f271656f9..d7a104f5b 100644 --- a/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.GetCredentialReport_1.json +++ b/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.GetCredentialReport_1.json @@ -1,16 +1,16 @@ { "status_code": 200, "data": { - "Content": "user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated\n,arn:aws:iam::121212121212:root,2020-12-01T10:46:12+00:00,true,2020-12-01T10:46:12+00:00,true,true,true,true,2020-12-01T10:46:12+00:00,2020-12-01T10:46:12+00:00,2020-12-01T10:46:12+00:00,2020-12-01T10:46:12+00:00,true,2020-12-01T10:46:12+00:00,2020-12-01T10:46:12+00:00,2020-12-01T10:46:12+00:00,2020-12-01T10:46:12+00:00,true,2020-12-01T10:46:12+00:00,true,2020-12-01T10:46:12+00:00", + "Content": "user,arn,user_creation_time,password_enabled,password_last_used,password_last_changed,password_next_rotation,mfa_active,access_key_1_active,access_key_1_last_rotated,access_key_1_last_used_date,access_key_1_last_used_region,access_key_1_last_used_service,access_key_2_active,access_key_2_last_rotated,access_key_2_last_used_date,access_key_2_last_used_region,access_key_2_last_used_service,cert_1_active,cert_1_last_rotated,cert_2_active,cert_2_last_rotated\n,arn:aws:iam::111111111111:root,2023-04-23T15:30:12+00:00,not_supported,2023-06-22T07:09:05+00:00,not_supported,not_supported,true,true,2023-06-22T07:09:28+00:00,2023-06-22T08:21:00+00:00,us-east-1,s3,false,N/A,N/A,N/A,N/A,false,N/A,false,N/A", "ReportFormat": "text/csv", "GeneratedTime": { "__class__": "datetime", - "year": 2021, - "month": 5, - "day": 6, + "year": 2023, + "month": 6, + "day": 22, "hour": 11, - "minute": 28, - "second": 55, + "minute": 18, + "second": 28, "microsecond": 0 }, "ResponseMetadata": {} diff --git a/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.ListAccountAliases_1.json b/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.ListAccountAliases_1.json index 3b408e3eb..384ece3f3 100644 --- a/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.ListAccountAliases_1.json +++ b/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/placebo-red/iam.ListAccountAliases_1.json @@ -1,9 +1,7 @@ { "status_code": 200, "data": { - "AccountAliases": [ - "test" - ], + "AccountAliases": [], "IsTruncated": false, "ResponseMetadata": {} } diff --git a/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/red_policy_test.py b/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/red_policy_test.py index bdd605b12..54d643350 100644 --- a/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/red_policy_test.py +++ b/tests/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks/red_policy_test.py @@ -1,8 +1,14 @@ +import datetime + class PolicyTest(object): + def mock_time(self): + return 2023, 6, 21 + def test_resources(self, base_test, resources): base_test.assertEqual(len(resources), 1) - base_test.assertTrue(resources[0]['c7n:credential-report']['access_keys'][0]['last_used_date']) - base_test.assertTrue(resources[0]['c7n:credential-report']['password_last_used']) - + passwordLastUsed=datetime.datetime.fromisoformat(str(resources[0]['c7n:credential-report']['password_last_used'])) + time_now = datetime.datetime.fromisoformat(datetime.datetime.utcnow().replace(microsecond=0).replace(tzinfo=datetime.timezone.utc).isoformat()) + delta = time_now - passwordLastUsed + base_test.assertTrue(delta.days<90) \ No newline at end of file diff --git a/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/tagging.GetResources_1.json b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/tagging.GetResources_1.json new file mode 100644 index 000000000..8ba2a1efa --- /dev/null +++ b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/tagging.GetResources_1.json @@ -0,0 +1,35 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:waf-regional:us-east-1:111111111111:webacl/e1401f68-27a8-4fef-beef-f7f523032c17", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-914-waf_regional_webacl_not_empty" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ] + }, + { + "ResourceARN": "arn:aws:waf-regional:us-east-1:111111111111:webacl/ede2d4c7-aacc-4b36-bfa1-7b0f673cfff1", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-914-waf_regional_webacl_not_empty" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.GetWebACL_1.json b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.GetWebACL_1.json new file mode 100644 index 000000000..be19b6631 --- /dev/null +++ b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.GetWebACL_1.json @@ -0,0 +1,25 @@ +{ + "status_code": 200, + "data": { + "WebACL": { + "WebACLId": "e1401f68-27a8-4fef-beef-f7f523032c17", + "Name": "914_webacl_green2", + "MetricName": "914WebaclMetricGreen2", + "DefaultAction": { + "Type": "ALLOW" + }, + "Rules": [ + { + "Priority": 1, + "RuleId": "17f3ffa7-06b4-4765-8b48-e5a7559e7aae", + "Action": { + "Type": "ALLOW" + }, + "Type": "REGULAR" + } + ], + "WebACLArn": "arn:aws:waf-regional:us-east-1:111111111111:webacl/e1401f68-27a8-4fef-beef-f7f523032c17" + }, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.GetWebACL_2.json b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.GetWebACL_2.json new file mode 100644 index 000000000..5486ec47d --- /dev/null +++ b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.GetWebACL_2.json @@ -0,0 +1,25 @@ +{ + "status_code": 200, + "data": { + "WebACL": { + "WebACLId": "ede2d4c7-aacc-4b36-bfa1-7b0f673cfff1", + "Name": "914_webacl_green", + "MetricName": "914WebaclMetricGreen", + "DefaultAction": { + "Type": "ALLOW" + }, + "Rules": [ + { + "Priority": 1, + "RuleId": "eefeff93-e6dc-4469-983c-26c961285ded", + "OverrideAction": { + "Type": "NONE" + }, + "Type": "GROUP" + } + ], + "WebACLArn": "arn:aws:waf-regional:us-east-1:111111111111:webacl/ede2d4c7-aacc-4b36-bfa1-7b0f673cfff1" + }, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.ListWebACLs_1.json b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.ListWebACLs_1.json new file mode 100644 index 000000000..bdbeda6d5 --- /dev/null +++ b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-green/waf-regional.ListWebACLs_1.json @@ -0,0 +1,17 @@ +{ + "status_code": 200, + "data": { + "NextMarker": "ede2d4c7-aacc-4b36-bfa1-7b0f673cfff1", + "WebACLs": [ + { + "WebACLId": "e1401f68-27a8-4fef-beef-f7f523032c17", + "Name": "914_webacl_green2" + }, + { + "WebACLId": "ede2d4c7-aacc-4b36-bfa1-7b0f673cfff1", + "Name": "914_webacl_green" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/tagging.GetResources_1.json b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/tagging.GetResources_1.json new file mode 100644 index 000000000..e111639cb --- /dev/null +++ b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:waf-regional:us-east-1:111111111111:webacl/c43ed095-1a78-4a0e-9333-c3bdc5054736", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-914-waf_regional_webacl_not_empty" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/waf-regional.GetWebACL_1.json b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/waf-regional.GetWebACL_1.json new file mode 100644 index 000000000..a52332694 --- /dev/null +++ b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/waf-regional.GetWebACL_1.json @@ -0,0 +1,16 @@ +{ + "status_code": 200, + "data": { + "WebACL": { + "WebACLId": "c43ed095-1a78-4a0e-9333-c3bdc5054736", + "Name": "914_webacl_red", + "MetricName": "914WebaclMetricRed", + "DefaultAction": { + "Type": "ALLOW" + }, + "Rules": [], + "WebACLArn": "arn:aws:waf-regional:us-east-1:111111111111:webacl/c43ed095-1a78-4a0e-9333-c3bdc5054736" + }, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/waf-regional.ListWebACLs_1.json b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/waf-regional.ListWebACLs_1.json new file mode 100644 index 000000000..ffa1c1a8c --- /dev/null +++ b/tests/ecc-aws-914-waf_regional_webacl_not_empty/placebo-red/waf-regional.ListWebACLs_1.json @@ -0,0 +1,13 @@ +{ + "status_code": 200, + "data": { + "NextMarker": "ede2d4c7-aacc-4b36-bfa1-7b0f673cfff1", + "WebACLs": [ + { + "WebACLId": "c43ed095-1a78-4a0e-9333-c3bdc5054736", + "Name": "914_webacl_red" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-914-waf_regional_webacl_not_empty/red_policy_test.py b/tests/ecc-aws-914-waf_regional_webacl_not_empty/red_policy_test.py new file mode 100644 index 000000000..1d0ef2501 --- /dev/null +++ b/tests/ecc-aws-914-waf_regional_webacl_not_empty/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources_with_client(self, base_test, resources, local_session): + base_test.assertEqual(len(resources), 1) + base_test.assertFalse(resources[0]['Rules']) \ No newline at end of file diff --git a/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-green/glue.GetJobs_1.json b/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-green/glue.GetJobs_1.json new file mode 100644 index 000000000..1c0d01ebe --- /dev/null +++ b/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-green/glue.GetJobs_1.json @@ -0,0 +1,50 @@ +{ + "status_code": 200, + "data": { + "Jobs": [ + { + "Name": "964_glue_job_green", + "Role": "arn:aws:iam::111111111111:role/964_role_green", + "CreatedOn": { + "__class__": "datetime", + "year": 2023, + "month": 6, + "day": 23, + "hour": 11, + "minute": 44, + "second": 38, + "microsecond": 429000 + }, + "LastModifiedOn": { + "__class__": "datetime", + "year": 2023, + "month": 6, + "day": 23, + "hour": 12, + "minute": 11, + "second": 58, + "microsecond": 50000 + }, + "ExecutionProperty": { + "MaxConcurrentRuns": 1 + }, + "Command": { + "Name": "glueetl", + "ScriptLocation": "s3://bucket-964-green/script", + "PythonVersion": "2" + }, + "DefaultArguments": { + "--enable-auto-scaling": "true" + }, + "MaxRetries": 0, + "AllocatedCapacity": 10, + "Timeout": 2880, + "MaxCapacity": 10.0, + "WorkerType": "G.1X", + "NumberOfWorkers": 10, + "GlueVersion": "4.0" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-green/tagging.GetResources_1.json b/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-green/tagging.GetResources_1.json new file mode 100644 index 000000000..0e254deb4 --- /dev/null +++ b/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-green/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:glue:us-east-1:111111111111:job/964_glue_job_green", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-964-glue_job_autoscaling_enabled" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-red/glue.GetJobs_1.json b/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-red/glue.GetJobs_1.json new file mode 100644 index 000000000..416074160 --- /dev/null +++ b/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-red/glue.GetJobs_1.json @@ -0,0 +1,47 @@ +{ + "status_code": 200, + "data": { + "Jobs": [ + { + "Name": "964_glue_job_red", + "Role": "arn:aws:iam::111111111111:role/964_role_red", + "CreatedOn": { + "__class__": "datetime", + "year": 2023, + "month": 6, + "day": 23, + "hour": 12, + "minute": 28, + "second": 17, + "microsecond": 387000 + }, + "LastModifiedOn": { + "__class__": "datetime", + "year": 2023, + "month": 6, + "day": 23, + "hour": 12, + "minute": 28, + "second": 17, + "microsecond": 387000 + }, + "ExecutionProperty": { + "MaxConcurrentRuns": 1 + }, + "Command": { + "Name": "glueetl", + "ScriptLocation": "s3://bucket-964-red/script", + "PythonVersion": "3" + }, + "MaxRetries": 0, + "AllocatedCapacity": 10, + "Timeout": 2880, + "MaxCapacity": 10.0, + "WorkerType": "G.1X", + "NumberOfWorkers": 10, + "GlueVersion": "4.0" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-red/tagging.GetResources_1.json b/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-red/tagging.GetResources_1.json new file mode 100644 index 000000000..6a13c1068 --- /dev/null +++ b/tests/ecc-aws-964-glue_job_autoscaling_enabled/placebo-red/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:glue:us-east-1:111111111111:job/964_glue_job_red", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-964-glue_job_autoscaling_enabled" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-964-glue_job_autoscaling_enabled/red_policy_test.py b/tests/ecc-aws-964-glue_job_autoscaling_enabled/red_policy_test.py new file mode 100644 index 000000000..8927488a3 --- /dev/null +++ b/tests/ecc-aws-964-glue_job_autoscaling_enabled/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertNotIn('DefaultArguments."--enable-auto-scaling"', resources[0]) \ No newline at end of file diff --git a/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/cloudtrail.DescribeTrails_1.json b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/cloudtrail.DescribeTrails_1.json new file mode 100644 index 000000000..ee637368e --- /dev/null +++ b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/cloudtrail.DescribeTrails_1.json @@ -0,0 +1,21 @@ +{ + "status_code": 200, + "data": { + "trailList": [ + { + "Name": "trail-968-green", + "S3BucketName": "bucket-968-green", + "S3KeyPrefix": "prefix_968_green", + "IncludeGlobalServiceEvents": false, + "IsMultiRegionTrail": false, + "HomeRegion": "us-east-1", + "TrailARN": "arn:aws:cloudtrail:us-east-1:111111111111:trail/trail-968-green", + "LogFileValidationEnabled": false, + "HasCustomEventSelectors": true, + "HasInsightSelectors": false, + "IsOrganizationTrail": false + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/cloudtrail.GetTrailStatus_1.json b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/cloudtrail.GetTrailStatus_1.json new file mode 100644 index 000000000..14e299857 --- /dev/null +++ b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/cloudtrail.GetTrailStatus_1.json @@ -0,0 +1,23 @@ +{ + "status_code": 200, + "data": { + "IsLogging": true, + "StartLoggingTime": { + "__class__": "datetime", + "year": 2023, + "month": 6, + "day": 23, + "hour": 16, + "minute": 41, + "second": 26, + "microsecond": 825000 + }, + "LatestDeliveryAttemptTime": "", + "LatestNotificationAttemptTime": "", + "LatestNotificationAttemptSucceeded": "", + "LatestDeliveryAttemptSucceeded": "", + "TimeLoggingStarted": "2023-06-23T13:41:26Z", + "TimeLoggingStopped": "", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/tagging.GetResources_1.json b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/tagging.GetResources_1.json new file mode 100644 index 000000000..cfe2f880f --- /dev/null +++ b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-green/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:cloudtrail:us-east-1:111111111111:trail/trail-968-green", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-968-cloudtrail_delivery_failing" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/cloudtrail.DescribeTrails_1.json b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/cloudtrail.DescribeTrails_1.json new file mode 100644 index 000000000..a1cb1068f --- /dev/null +++ b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/cloudtrail.DescribeTrails_1.json @@ -0,0 +1,21 @@ +{ + "status_code": 200, + "data": { + "trailList": [ + { + "Name": "trail-968-red", + "S3BucketName": "bucket-968-red", + "S3KeyPrefix": "prefix_968_red", + "IncludeGlobalServiceEvents": false, + "IsMultiRegionTrail": false, + "HomeRegion": "us-east-1", + "TrailARN": "arn:aws:cloudtrail:us-east-1:111111111111:trail/trail-968-red", + "LogFileValidationEnabled": false, + "HasCustomEventSelectors": false, + "HasInsightSelectors": false, + "IsOrganizationTrail": false + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/cloudtrail.GetTrailStatus_1.json b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/cloudtrail.GetTrailStatus_1.json new file mode 100644 index 000000000..101471189 --- /dev/null +++ b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/cloudtrail.GetTrailStatus_1.json @@ -0,0 +1,34 @@ +{ + "status_code": 200, + "data": { + "IsLogging": true, + "LatestDeliveryError": "AccessDenied", + "LatestDeliveryTime": { + "__class__": "datetime", + "year": 2023, + "month": 6, + "day": 23, + "hour": 16, + "minute": 22, + "second": 40, + "microsecond": 767000 + }, + "StartLoggingTime": { + "__class__": "datetime", + "year": 2023, + "month": 6, + "day": 23, + "hour": 16, + "minute": 7, + "second": 36, + "microsecond": 168000 + }, + "LatestDeliveryAttemptTime": "2023-06-23T13:25:18Z", + "LatestNotificationAttemptTime": "", + "LatestNotificationAttemptSucceeded": "", + "LatestDeliveryAttemptSucceeded": "2023-06-23T13:22:40Z", + "TimeLoggingStarted": "2023-06-23T13:07:36Z", + "TimeLoggingStopped": "", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/tagging.GetResources_1.json b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/tagging.GetResources_1.json new file mode 100644 index 000000000..992fc5d87 --- /dev/null +++ b/tests/ecc-aws-968-cloudtrail_delivery_failing/placebo-red/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:cloudtrail:us-east-1:111111111111:trail/trail-968-red", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-968-cloudtrail_delivery_failing" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-968-cloudtrail_delivery_failing/red_policy_test.py b/tests/ecc-aws-968-cloudtrail_delivery_failing/red_policy_test.py new file mode 100644 index 000000000..6f86817cc --- /dev/null +++ b/tests/ecc-aws-968-cloudtrail_delivery_failing/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertIn("LatestDeliveryError", resources[0]['c7n:TrailStatus']) \ No newline at end of file diff --git a/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/states.DescribeStateMachine_1.json b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/states.DescribeStateMachine_1.json new file mode 100644 index 000000000..b76a7e9ab --- /dev/null +++ b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/states.DescribeStateMachine_1.json @@ -0,0 +1,36 @@ +{ + "status_code": 200, + "data": { + "stateMachineArn": "arn:aws:states:us-east-1:111111111111:stateMachine:state-machine-969-green", + "name": "state-machine-969-green", + "status": "ACTIVE", + "definition": "{\n \"Comment\": \"A Hello World example of the Amazon States Language using an AWS Lambda Function\",\n \"StartAt\": \"HelloWorld\",\n \"States\": {\n \"HelloWorld\": {\n \"Type\": \"Task\",\n \"Resource\": \"arn:aws:lambda:us-east-1:111111111111:function:lambda-969-green\",\n \"End\": true\n }\n }\n}\n", + "roleArn": "arn:aws:iam::111111111111:role/iam-969-sfn-green", + "type": "STANDARD", + "creationDate": { + "__class__": "datetime", + "year": 2023, + "month": 6, + "day": 23, + "hour": 14, + "minute": 7, + "second": 0, + "microsecond": 794000 + }, + "loggingConfiguration": { + "level": "ERROR", + "includeExecutionData": true, + "destinations": [ + { + "cloudWatchLogsLogGroup": { + "logGroupArn": "arn:aws:logs:us-east-1:111111111111:log-group:loggroup-969-red:*" + } + } + ] + }, + "tracingConfiguration": { + "enabled": false + }, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/states.ListStateMachines_1.json b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/states.ListStateMachines_1.json new file mode 100644 index 000000000..e3fa192e9 --- /dev/null +++ b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/states.ListStateMachines_1.json @@ -0,0 +1,23 @@ +{ + "status_code": 200, + "data": { + "stateMachines": [ + { + "stateMachineArn": "arn:aws:states:us-east-1:111111111111:stateMachine:state-machine-969-green", + "name": "state-machine-969-green", + "type": "STANDARD", + "creationDate": { + "__class__": "datetime", + "year": 2023, + "month": 6, + "day": 23, + "hour": 14, + "minute": 7, + "second": 0, + "microsecond": 794000 + } + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/tagging.GetResources_1.json b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/tagging.GetResources_1.json new file mode 100644 index 000000000..b4d49af33 --- /dev/null +++ b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-green/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:states:us-east-1:111111111111:stateMachine:state-machine-969-green", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-969-step_function_state_machine_logging_enabled" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/states.DescribeStateMachine_1.json b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/states.DescribeStateMachine_1.json new file mode 100644 index 000000000..7d8798cf8 --- /dev/null +++ b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/states.DescribeStateMachine_1.json @@ -0,0 +1,36 @@ +{ + "status_code": 200, + "data": { + "stateMachineArn": "arn:aws:states:us-east-1:111111111111:stateMachine:state-machine-969-red", + "name": "state-machine-969-red", + "status": "ACTIVE", + "definition": "{\n \"Comment\": \"A Hello World example of the Amazon States Language using an AWS Lambda Function\",\n \"StartAt\": \"HelloWorld\",\n \"States\": {\n \"HelloWorld\": {\n \"Type\": \"Task\",\n \"Resource\": \"arn:aws:lambda:us-east-1:111111111111:function:lambda-969-red\",\n \"End\": true\n }\n }\n}\n", + "roleArn": "arn:aws:iam::111111111111:role/iam-969-sfn-red", + "type": "STANDARD", + "creationDate": { + "__class__": "datetime", + "year": 2023, + "month": 6, + "day": 23, + "hour": 14, + "minute": 13, + "second": 36, + "microsecond": 367000 + }, + "loggingConfiguration": { + "level": "OFF", + "includeExecutionData": true, + "destinations": [ + { + "cloudWatchLogsLogGroup": { + "logGroupArn": "arn:aws:logs:us-east-1:111111111111:log-group:loggroup-969-green:*" + } + } + ] + }, + "tracingConfiguration": { + "enabled": false + }, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/states.ListStateMachines_1.json b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/states.ListStateMachines_1.json new file mode 100644 index 000000000..0e659d20a --- /dev/null +++ b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/states.ListStateMachines_1.json @@ -0,0 +1,23 @@ +{ + "status_code": 200, + "data": { + "stateMachines": [ + { + "stateMachineArn": "arn:aws:states:us-east-1:111111111111:stateMachine:state-machine-969-red", + "name": "state-machine-969-red", + "type": "STANDARD", + "creationDate": { + "__class__": "datetime", + "year": 2023, + "month": 6, + "day": 23, + "hour": 14, + "minute": 13, + "second": 36, + "microsecond": 367000 + } + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/tagging.GetResources_1.json b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/tagging.GetResources_1.json new file mode 100644 index 000000000..05cd0602d --- /dev/null +++ b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/placebo-red/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:states:us-east-1:111111111111:stateMachine:state-machine-969-red", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-969-step_function_state_machine_logging_enabled" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-969-step_function_state_machine_logging_enabled/red_policy_test.py b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/red_policy_test.py new file mode 100644 index 000000000..b42123046 --- /dev/null +++ b/tests/ecc-aws-969-step_function_state_machine_logging_enabled/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['loggingConfiguration']['level'], 'OFF') \ No newline at end of file