diff --git a/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md b/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md index 42f175d1..1ac5d71c 100644 --- a/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md +++ b/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md @@ -1,10 +1,10 @@ Specify the exact permissions required, and to which resources they should apply instead of using wildcards. -```yaml--- +```yaml Resources: GoodPolicy: - Type: 'AWS::IAM::Policy' + Type: AWS::IAM::Policy Properties: PolicyName: CFNUsers PolicyDocument: @@ -12,9 +12,8 @@ Resources: Statement: - Effect: Allow Action: - - 's3:ListBuckets' - Resource: 'specific-bucket' - + - s3:ListBuckets + Resource: specific-bucket ``` diff --git a/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md b/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md index d9ef5b23..e5cf3030 100644 --- a/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md +++ b/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md @@ -2,41 +2,40 @@ Specify the exact permissions required, and to which resources they should apply instead of using wildcards. ```hcl - resource "aws_iam_role_policy" "test_policy" { - name = "test_policy" - role = aws_iam_role.test_role.id - - policy = data.aws_iam_policy_document.s3_policy.json - } - - resource "aws_iam_role" "test_role" { - name = "test_role" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Sid = "" - Principal = { - Service = "s3.amazonaws.com" - } - }, - ] - }) - } - - data "aws_iam_policy_document" "s3_policy" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] - } - actions = ["s3:GetObject"] - resources = [aws_s3_bucket.example.arn] - } - } - +resource "aws_iam_role_policy" "test_policy" { + name = "test_policy" + role = aws_iam_role.test_role.id + + policy = data.aws_iam_policy_document.s3_policy.json +} + +resource "aws_iam_role" "test_role" { + name = "test_role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "s3.amazonaws.com" + } + }, + ] + }) +} + +data "aws_iam_policy_document" "s3_policy" { + statement { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = ["s3:GetObject"] + resources = [aws_s3_bucket.example.arn] + } +} ``` #### Remediation Links diff --git a/avd_docs/aws/iam/AVD-AWS-0057/docs.md b/avd_docs/aws/iam/AVD-AWS-0057/docs.md index 6aa472c9..a216e3da 100644 --- a/avd_docs/aws/iam/AVD-AWS-0057/docs.md +++ b/avd_docs/aws/iam/AVD-AWS-0057/docs.md @@ -1,8 +1,9 @@ You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. + ### Impact -Overly permissive policies may grant access to sensitive resources + {{ remediationActions }} diff --git a/avd_docs/aws/iam/AVD-AWS-0169/docs.md b/avd_docs/aws/iam/AVD-AWS-0169/docs.md index e65af623..98bf7fe0 100644 --- a/avd_docs/aws/iam/AVD-AWS-0169/docs.md +++ b/avd_docs/aws/iam/AVD-AWS-0169/docs.md @@ -1,11 +1,10 @@ - By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support. - + ### Impact -Incident management is not possible without a support role. + {{ remediationActions }} diff --git a/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md index 240a4e18..8d717078 100644 --- a/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md @@ -1,7 +1,7 @@ Specify the exact permissions required, and to which resources they should apply instead of using wildcards. -```yaml--- +```yaml Resources: GoodFunction: Type: AWS::Serverless::Function @@ -10,20 +10,19 @@ Resources: ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name ImageConfig: Command: - - "app.lambda_handler" + - app.lambda_handler EntryPoint: - - "entrypoint1" - WorkingDirectory: "workDir" - Policies: + - entrypoint1 + WorkingDirectory: workDir + Policies: - AWSLambdaExecute - - Version: '2012-10-17' + - Version: "2012-10-17" Statement: - - Effect: Allow - Action: - - s3:GetObject - - s3:GetObjectACL - Resource: 'arn:aws:s3:::my-bucket/*' - + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: arn:aws:s3:::my-bucket/* ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0114/docs.md b/avd_docs/aws/sam/AVD-AWS-0114/docs.md index 721f7836..099567a5 100644 --- a/avd_docs/aws/sam/AVD-AWS-0114/docs.md +++ b/avd_docs/aws/sam/AVD-AWS-0114/docs.md @@ -1,8 +1,9 @@ You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. + ### Impact -Overly permissive policies may grant access to sensitive resources + {{ remediationActions }} diff --git a/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md index f6af777e..74133a8a 100644 --- a/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md @@ -1,7 +1,7 @@ Specify the exact permissions required, and to which resources they should apply instead of using wildcards. -```yaml--- +```yaml Resources: GoodFunction: Type: AWS::Serverless::StateMachine @@ -16,16 +16,15 @@ Resources: Role: arn:aws:iam::123456123456:role/service-role/my-sample-role Tracing: Enabled: true - Policies: + Policies: - AWSLambdaExecute - - Version: '2012-10-17' + - Version: "2012-10-17" Statement: - - Effect: Allow - Action: - - s3:GetObject - - s3:GetObjectACL - Resource: 'arn:aws:s3:::my-bucket/*' - + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: arn:aws:s3:::my-bucket/* ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0120/docs.md b/avd_docs/aws/sam/AVD-AWS-0120/docs.md index daade7f5..474db1a3 100644 --- a/avd_docs/aws/sam/AVD-AWS-0120/docs.md +++ b/avd_docs/aws/sam/AVD-AWS-0120/docs.md @@ -1,8 +1,10 @@ -You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. +You should use the principle of least privilege when defining your IAM policies. +This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. + ### Impact -Overly permissive policies may grant access to sensitive resources + {{ remediationActions }} diff --git a/avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md b/avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md index f2a0349f..13b3f94a 100644 --- a/avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md +++ b/avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md @@ -3,12 +3,10 @@ Remove this potential exfiltration HTTP request. ```hcl resource "aws_ssm_parameter" "db_password" { - name = "db_password" - type = "SecureString" + name = "db_password" + type = "SecureString" value = var.db_password } - - ``` diff --git a/avd_docs/aws/ssm/AVD-AWS-0134/docs.md b/avd_docs/aws/ssm/AVD-AWS-0134/docs.md index 4fe0f81e..dccbfce0 100644 --- a/avd_docs/aws/ssm/AVD-AWS-0134/docs.md +++ b/avd_docs/aws/ssm/AVD-AWS-0134/docs.md @@ -1,8 +1,9 @@ The data.http block can be used to send secret data outside of the organisation. + ### Impact -Secrets could be exposed outside of the organisation. + {{ remediationActions }} diff --git a/checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego b/checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego index eb467998..aa159db6 100644 --- a/checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego +++ b/checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego @@ -20,6 +20,7 @@ # service: accessanalyzer # severity: LOW # short_code: enable-access-analyzer +# deprecated: true # recommended_action: Enable IAM Access analyzer across all regions. # frameworks: # cis-aws-1.4: diff --git a/checks/cloud/aws/iam/no_policy_wildcards.rego b/checks/cloud/aws/iam/no_policy_wildcards.rego new file mode 100644 index 00000000..dff4b918 --- /dev/null +++ b/checks/cloud/aws/iam/no_policy_wildcards.rego @@ -0,0 +1,38 @@ +# METADATA +# title: IAM policy should avoid use of wildcards and instead apply the principle of least privilege +# description: | +# You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. +# scope: package +# schemas: +# - input: schema["cloud"] +# related_resources: +# - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html +# custom: +# id: AVD-AWS-0057 +# avd_id: AVD-AWS-0057 +# provider: aws +# service: iam +# severity: HIGH +# short_code: no-policy-wildcards +# deprecated: true +# recommended_action: Specify the exact permissions required, and to which resources they should apply instead of using wildcards. +# frameworks: +# default: +# - null +# cis-aws-1.4: +# - "1.16" +# input: +# selector: +# - type: cloud +# subtypes: +# - service: iam +# provider: aws +# terraform: +# links: +# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +# good_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml +# bad_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml +# cloudformation: +# good_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml +# bad_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml +package builtin.aws.iam.aws0057 diff --git a/checks/cloud/aws/iam/no_policy_wildcards.yaml b/checks/cloud/aws/iam/no_policy_wildcards.yaml new file mode 100644 index 00000000..aabc6afd --- /dev/null +++ b/checks/cloud/aws/iam/no_policy_wildcards.yaml @@ -0,0 +1,106 @@ +cloudformation: + good: + - |- + Resources: + GoodPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: CFNUsers + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:ListBuckets + Resource: specific-bucket + bad: + - |- + Resources: + BadPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: CFNUsers + PolicyDocument: + + Version: "2012-10-17" + + Statement: + - Effect: Allow + Action: + - cloudformation:Describe* + - cloudformation:List* + - cloudformation:Get* + Resource: '*' +terraform: + good: + - |- + resource "aws_iam_role_policy" "test_policy" { + name = "test_policy" + role = aws_iam_role.test_role.id + + policy = data.aws_iam_policy_document.s3_policy.json + } + + resource "aws_iam_role" "test_role" { + name = "test_role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "s3.amazonaws.com" + } + }, + ] + }) + } + + data "aws_iam_policy_document" "s3_policy" { + statement { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = ["s3:GetObject"] + resources = [aws_s3_bucket.example.arn] + } + } + bad: + - |- + resource "aws_iam_role_policy" "test_policy" { + name = "test_policy" + role = aws_iam_role.test_role.id + + policy = data.aws_iam_policy_document.s3_policy.json + } + + resource "aws_iam_role" "test_role" { + name = "test_role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "s3.amazonaws.com" + } + }, + ] + }) + } + + data "aws_iam_policy_document" "s3_policy" { + statement { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = ["s3:*"] + resources = ["*"] + } + } diff --git a/checks/cloud/aws/iam/require_support_role.rego b/checks/cloud/aws/iam/require_support_role.rego new file mode 100644 index 00000000..f461a0c5 --- /dev/null +++ b/checks/cloud/aws/iam/require_support_role.rego @@ -0,0 +1,29 @@ +# METADATA +# title: Missing IAM Role to allow authorized users to manage incidents with AWS Support. +# description: | +# By implementing least privilege for access control, an IAM Role will require an appropriate +# IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support. +# scope: package +# schemas: +# - input: schema["cloud"] +# related_resources: +# - https://console.aws.amazon.com/iam/ +# custom: +# id: AVD-AWS-0169 +# avd_id: AVD-AWS-0169 +# provider: aws +# service: iam +# severity: LOW +# short_code: require-support-role +# deprecated: true +# recommended_action: Create an IAM role with the necessary permissions to manage incidents with AWS Support. +# frameworks: +# cis-aws-1.4: +# - "1.17" +# input: +# selector: +# - type: cloud +# subtypes: +# - service: iam +# provider: aws +package builtin.aws.iam.aws0169 diff --git a/checks/cloud/aws/sam/no_function_policy_wildcards.rego b/checks/cloud/aws/sam/no_function_policy_wildcards.rego new file mode 100644 index 00000000..36999ff2 --- /dev/null +++ b/checks/cloud/aws/sam/no_function_policy_wildcards.rego @@ -0,0 +1,28 @@ +# METADATA +# title: Function policies should avoid use of wildcards and instead apply the principle of least privilege +# description: | +# You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. +# scope: package +# schemas: +# - input: schema["cloud"] +# related_resources: +# - https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-policies +# custom: +# id: AVD-AWS-0114 +# avd_id: AVD-AWS-0114 +# provider: aws +# service: sam +# severity: HIGH +# short_code: no-function-policy-wildcards +# deprecated: true +# recommended_action: Specify the exact permissions required, and to which resources they should apply instead of using wildcards. +# input: +# selector: +# - type: cloud +# subtypes: +# - service: sam +# provider: aws +# cloud_formation: +# good_examples: checks/cloud/aws/sam/no_function_policy_wildcards.yaml +# bad_examples: checks/cloud/aws/sam/no_function_policy_wildcards.yaml +package builtin.aws.sam.aws0114 diff --git a/checks/cloud/aws/sam/no_function_policy_wildcards.yaml b/checks/cloud/aws/sam/no_function_policy_wildcards.yaml new file mode 100644 index 00000000..c316dada --- /dev/null +++ b/checks/cloud/aws/sam/no_function_policy_wildcards.yaml @@ -0,0 +1,46 @@ +cloudformation: + good: + - |- + Resources: + GoodFunction: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - app.lambda_handler + EntryPoint: + - entrypoint1 + WorkingDirectory: workDir + Policies: + - AWSLambdaExecute + - Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: arn:aws:s3:::my-bucket/* + bad: + - |- + Resources: + BadFunction: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - app.lambda_handler + EntryPoint: + - entrypoint1 + WorkingDirectory: workDir + Policies: + - AWSLambdaExecute + - Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:* + Resource: arn:aws:s3:::my-bucket/* diff --git a/checks/cloud/aws/sam/no_state_machine_policy_wildcards.rego b/checks/cloud/aws/sam/no_state_machine_policy_wildcards.rego new file mode 100644 index 00000000..a1610258 --- /dev/null +++ b/checks/cloud/aws/sam/no_state_machine_policy_wildcards.rego @@ -0,0 +1,40 @@ +# METADATA +# title: State machine policies should avoid use of wildcards and instead apply the principle of least privilege +# description: | +# You should use the principle of least privilege when defining your IAM policies. +# This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. +# scope: package +# schemas: +# - input: schema["cloud"] +# related_resources: +# - "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-policies" +# custom: +# id: AVD-AWS-0120 +# avd_id: AVD-AWS-0120 +# provider: aws +# service: sam +# severity: HIGH +# short_code: no-state-machine-policy-wildcards +# deprecated: true +# recommended_action: Specify the exact permissions required, and to which resources they should apply instead of using wildcards. +# input: +# selector: +# - type: cloud +# subtypes: +# - service: sam +# provider: aws +# cloud_formation: +# good_examples: checks/cloud/aws/sam/no_state_machine_policy_wildcards.yaml +# bad_examples: checks/cloud/aws/sam/no_state_machine_policy_wildcards.yaml +package builtin.aws.sam.aws0120 + +import rego.v1 + +deny contains res if { + some table in input.aws.sam.simpletables + not table.ssespecification.enabled.value + res := result.new( + "Domain name is configured with an outdated TLS policy.", + table.ssespecification.enabled, + ) +} diff --git a/checks/cloud/aws/sam/no_state_machine_policy_wildcards.yaml b/checks/cloud/aws/sam/no_state_machine_policy_wildcards.yaml new file mode 100644 index 00000000..680d4932 --- /dev/null +++ b/checks/cloud/aws/sam/no_state_machine_policy_wildcards.yaml @@ -0,0 +1,50 @@ +cloudformation: + good: + - |- + Resources: + GoodFunction: + Type: AWS::Serverless::StateMachine + Properties: + Definition: + StartAt: MyLambdaState + States: + MyLambdaState: + Type: Task + Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app + End: true + Role: arn:aws:iam::123456123456:role/service-role/my-sample-role + Tracing: + Enabled: true + Policies: + - AWSLambdaExecute + - Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: arn:aws:s3:::my-bucket/* + bad: + - |- + Resources: + BadFunction: + Type: AWS::Serverless::StateMachine + Properties: + Definition: + StartAt: MyLambdaState + States: + MyLambdaState: + Type: Task + Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app + End: true + Role: arn:aws:iam::123456123456:role/service-role/my-sample-role + Tracing: + Enabled: true + Policies: + - AWSLambdaExecute + - Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:* + Resource: arn:aws:s3:::my-bucket/* diff --git a/checks/cloud/aws/ssm/avoid_leaks_via_http.rego b/checks/cloud/aws/ssm/avoid_leaks_via_http.rego new file mode 100644 index 00000000..e72d2ae2 --- /dev/null +++ b/checks/cloud/aws/ssm/avoid_leaks_via_http.rego @@ -0,0 +1,31 @@ +# METADATA +# title: Secrets should not be exfiltrated using Terraform HTTP data blocks +# description: | +# The data.http block can be used to send secret data outside of the organisation. +# scope: package +# schemas: +# - input: schema["cloud"] +# related_resources: +# - https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/ +# custom: +# id: AVD-AWS-0134 +# avd_id: AVD-AWS-0134 +# provider: aws +# service: ssm +# severity: CRITICAL +# short_code: avoid-leaks-via-http +# deprecated: true +# recommended_action: Remove this potential exfiltration HTTP request. +# input: +# selector: +# - type: cloud +# subtypes: +# - service: ssm +# provider: aws +# terraform: +# good_examples: checks/cloud/aws/ssm/avoid_leaks_via_http.yaml +# bad_examples: checks/cloud/aws/ssm/avoid_leaks_via_http.yaml +# cloud_formation: +# good_examples: checks/cloud/aws/ssm/avoid_leaks_via_http.yaml +# bad_examples: checks/cloud/aws/ssm/avoid_leaks_via_http.yaml +package builtin.aws.ssm.aws0134 diff --git a/integration/check_examples_test.go b/integration/check_examples_test.go index f92141a2..7824ee43 100644 --- a/integration/check_examples_test.go +++ b/integration/check_examples_test.go @@ -7,6 +7,7 @@ import ( "os" "os/exec" "path/filepath" + "slices" "strconv" "strings" "testing" @@ -62,6 +63,14 @@ func setupCache(t *testing.T) string { return cacheDir } +// Rego checks without implementation for documentation only. +var excludedChecks = []string{ + "AVD-AWS-0057", + "AVD-AWS-0114", + "AVD-AWS-0120", + "AVD-AWS-0134", +} + func setupTarget(t *testing.T) string { t.Helper() @@ -76,6 +85,10 @@ func setupTarget(t *testing.T) string { continue } + if slices.Contains(excludedChecks, r.AVDID) { + continue + } + examples, path, err := examples.GetCheckExamples(r.Rule) require.NoError(t, err) diff --git a/test/rego/aws_access_analyzer_test.go b/test/rego/aws_access_analyzer_test.go deleted file mode 100644 index ac51db58..00000000 --- a/test/rego/aws_access_analyzer_test.go +++ /dev/null @@ -1,52 +0,0 @@ -package test - -import ( - "github.com/aquasecurity/trivy/pkg/iac/providers/aws" - "github.com/aquasecurity/trivy/pkg/iac/providers/aws/accessanalyzer" - "github.com/aquasecurity/trivy/pkg/iac/state" - trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" -) - -func init() { - addTests(awsAccessAnalyzerTestCases) -} - -var awsAccessAnalyzerTestCases = testCases{ - "AVD-AWS-0175": { - // TODO: Trivy does not export empty structures into Rego - // { - - // name: "No analyzers enabled", - // input: state.State{AWS: aws.AWS{AccessAnalyzer: accessanalyzer.AccessAnalyzer{}}}, - // expected: true, - // }, - { - name: "Analyzer disabled", - input: state.State{AWS: aws.AWS{AccessAnalyzer: accessanalyzer.AccessAnalyzer{ - Analyzers: []accessanalyzer.Analyzer{ - { - Metadata: trivyTypes.NewTestMetadata(), - ARN: trivyTypes.String("arn:aws:accessanalyzer:us-east-1:123456789012:analyzer/test", trivyTypes.NewTestMetadata()), - Name: trivyTypes.String("test", trivyTypes.NewTestMetadata()), - Active: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), - }, - }, - }}}, - expected: true, - }, - { - name: "Analyzer enabled", - input: state.State{AWS: aws.AWS{AccessAnalyzer: accessanalyzer.AccessAnalyzer{ - Analyzers: []accessanalyzer.Analyzer{ - { - Metadata: trivyTypes.NewTestMetadata(), - ARN: trivyTypes.String("arn:aws:accessanalyzer:us-east-1:123456789012:analyzer/test", trivyTypes.NewTestMetadata()), - Name: trivyTypes.String("test", trivyTypes.NewTestMetadata()), - Active: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), - }, - }}}, - }, - expected: false, - }, - }, -}