From 96f4899c5ec702935ba424fb5872dcf0191d2a10 Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Sun, 15 Oct 2023 22:58:54 +0300 Subject: [PATCH] new: added policy ecc-aws-067-unauthorized_api_calls_alarm_exists --- iam/All-permissions.json | 1 + ...67-unauthorized_api_calls_alarm_exists.yml | 20 ------ ...67-unauthorized_api_calls_alarm_exists.yml | 23 +++++++ .../green_full/sns.tf | 38 +++++++---- .../green_full/trail.tf | 8 +++ .../iam/067-policy.json | 7 +-- .../red4/sns.tf | 2 +- .../cloudtrail.DescribeTrails_1.json | 22 +++++++ .../cloudtrail.GetEventSelectors_1.json | 19 ++++++ .../cloudtrail.GetTrailStatus_1.json | 43 +++++++++++++ .../iam.ListAccountAliases_1.json | 10 +++ .../logs.DescribeMetricFilters_1.json | 22 +++++++ .../monitoring.DescribeAlarmsForMetric_1.json | 60 ++++++++++++++++++ .../sns.GetTopicAttributes_1.json | 21 +++++++ .../cloudtrail.DescribeTrails_1.json | 22 +++++++ .../cloudtrail.GetEventSelectors_1.json | 15 +++++ .../cloudtrail.GetTrailStatus_1.json | 63 +++++++++++++++++++ .../placebo-red/iam.ListAccountAliases_1.json | 10 +++ .../logs.DescribeMetricFilters_1.json | 7 +++ .../red_policy_test.py | 21 +++++++ 20 files changed, 396 insertions(+), 38 deletions(-) delete mode 100644 non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml create mode 100644 policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.DescribeTrails_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.GetEventSelectors_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.GetTrailStatus_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/iam.ListAccountAliases_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/logs.DescribeMetricFilters_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/monitoring.DescribeAlarmsForMetric_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/sns.GetTopicAttributes_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.DescribeTrails_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.GetEventSelectors_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.GetTrailStatus_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/iam.ListAccountAliases_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/logs.DescribeMetricFilters_1.json create mode 100644 tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/red_policy_test.py diff --git a/iam/All-permissions.json b/iam/All-permissions.json index 4352b768a..2f3f49e78 100644 --- a/iam/All-permissions.json +++ b/iam/All-permissions.json @@ -29,6 +29,7 @@ "cloudtrail:GetTrailStatus", "cloudwatch:GetMetricStatistics", "cloudwatch:DescribeAlarms", + "cloudwatch:DescribeAlarmsForMetric", "codebuild:BatchGetProjects", "codebuild:ListProjects", "codedeploy:GetDeploymentGroup", diff --git a/non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml b/non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml deleted file mode 100644 index b53a21f75..000000000 --- a/non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-067-unauthorized_api_calls_alarm_exists - comment: '010016010300' - description: | - Log metric filter and alarm do not exist for unauthorized API calls - resource: aws.account - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "\\(\\(\\$\\.errorCode=\"\\*UnauthorizedOperation\"\\) ?\\|\\| ?\\(\\$\\.errorCode=\"AccessDenied\\*\"\\)\\) ?&& ?\\(\\(\\$\\.sourceIPAddress!=(\")?delivery\\.logs\\.amazonaws\\.com(\")?\\) ?&& ?\\(\\$\\.eventName!=(\")?HeadBucket(\")?\\)\\)" - op: eq - value: 0 diff --git a/policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml b/policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml new file mode 100644 index 000000000..1479db5ba --- /dev/null +++ b/policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml @@ -0,0 +1,23 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-067-unauthorized_api_calls_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for unauthorized API calls + resource: aws.account + filters: + - type: check-cloudtrail + multi-region: true + running: true + include-management-events: true + log-metric-filter-pattern: + type: value + op: regex + value: '{ ?\(? ?\(? ?((\$\.errorCode ?= ?\"?\*UnauthorizedOperation\"?)|(\$\.errorCode ?= ?\"?AccessDenied\*\"?)) ?\)? ?\|\| ?\(? ?((\$\.errorCode ?= ?\"?AccessDenied\*\"?)|(\$\.errorCode ?= ?\"?\*UnauthorizedOperation\"?)) ?\)? ?\)? ?&& ?\(? ?\(? ?((\$\.sourceIPAddress ?[!]= ?\"?delivery\.logs\.amazonaws\.com\"?)|(\$\.eventName ?[!]= ?\"?HeadBucket\"?)) ?\)? ?&& ?\(?((\$\.sourceIPAddress ?[!]= ?\"?delivery\.logs\.amazonaws\.com\"?)|(\$\.eventName ?[!]= ?\"?HeadBucket\"?)) ?\)? ?\)? ?}' + + diff --git a/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/green_full/sns.tf b/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/green_full/sns.tf index b0ec97a0e..fecc4c99e 100644 --- a/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/green_full/sns.tf +++ b/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/green_full/sns.tf @@ -2,17 +2,29 @@ resource "aws_sns_topic" "this" { name = "067-sns-green" } -resource "null_resource" "this" { - provisioner "local-exec" { - command = join(" ", [ - "aws sns subscribe", - "--topic-arn ${aws_sns_topic.this.arn}", - "--protocol email", - "--notification-endpoint ${var.test-email}", - "--profile ${var.profile}", - "--region ${var.default-region}" +resource "aws_sqs_queue" "this" { + name = "067-sqs-green" +} + +resource "aws_sns_topic_subscription" "this" { + topic_arn = aws_sns_topic.this.arn + protocol = "sqs" + endpoint = aws_sqs_queue.this.arn +} + +# uncomment to test email notification + +# resource "null_resource" "this" { +# provisioner "local-exec" { +# command = join(" ", [ +# "aws sns subscribe", +# "--topic-arn ${aws_sns_topic.this.arn}", +# "--protocol email", +# "--notification-endpoint ${var.test-email}", +# "--profile ${var.profile}", +# "--region ${var.default-region}" - ] - ) - } -} \ No newline at end of file +# ] +# ) +# } +# } \ No newline at end of file diff --git a/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/green_full/trail.tf b/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/green_full/trail.tf index e43b8c441..85fa8a979 100644 --- a/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/green_full/trail.tf +++ b/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/green_full/trail.tf @@ -7,6 +7,14 @@ resource "aws_cloudtrail" "this" { cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.this.arn}:*" include_global_service_events = true is_multi_region_trail = true + + advanced_event_selector { + field_selector { + field = "eventCategory" + equals = ["Management"] + } + } + depends_on = [ aws_s3_bucket.this, aws_s3_bucket_policy.this diff --git a/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/iam/067-policy.json b/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/iam/067-policy.json index b34f96340..fbcd66888 100644 --- a/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/iam/067-policy.json +++ b/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/iam/067-policy.json @@ -4,15 +4,14 @@ { "Effect": "Allow", "Action": [ + "iam:ListAccountAliases", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:GetEventSelectors", - "sns:GetTopicAttributes", - "sns:ListTopics", "cloudwatch:DescribeAlarms", "logs:DescribeMetricFilters", - "logs:DescribeLogGroups", - "iam:ListAccountAliases" + "cloudwatch:DescribeAlarmsForMetric", + "sns:GetTopicAttributes" ], "Resource": "*" } diff --git a/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/red4/sns.tf b/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/red4/sns.tf index 32fb50619..f6b913e75 100644 --- a/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/red4/sns.tf +++ b/terraform/ecc-aws-067-unauthorized_api_calls_alarm_exists/red4/sns.tf @@ -1,3 +1,3 @@ -resource "aws_sns_topic" "sns" { +resource "aws_sns_topic" "this" { name = "067-c7n-sns-red4" } \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.DescribeTrails_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.DescribeTrails_1.json new file mode 100644 index 000000000..b8a035e79 --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.DescribeTrails_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "trailList": [ + { + "Name": "c7n-067-cloudtrail-green", + "S3BucketName": "067-bucket-7401094-green", + "IncludeGlobalServiceEvents": true, + "IsMultiRegionTrail": true, + "HomeRegion": "us-east-1", + "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-067-cloudtrail-green", + "LogFileValidationEnabled": false, + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:644160558196:log-group:067_log_group_green:*", + "CloudWatchLogsRoleArn": "arn:aws:iam::644160558196:role/067_role_green", + "HasCustomEventSelectors": true, + "HasInsightSelectors": false, + "IsOrganizationTrail": false + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.GetEventSelectors_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.GetEventSelectors_1.json new file mode 100644 index 000000000..74cf907d4 --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.GetEventSelectors_1.json @@ -0,0 +1,19 @@ +{ + "status_code": 200, + "data": { + "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-067-cloudtrail-green", + "AdvancedEventSelectors": [ + { + "FieldSelectors": [ + { + "Field": "eventCategory", + "Equals": [ + "Management" + ] + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.GetTrailStatus_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.GetTrailStatus_1.json new file mode 100644 index 000000000..5008c7ca4 --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/cloudtrail.GetTrailStatus_1.json @@ -0,0 +1,43 @@ +{ + "status_code": 200, + "data": { + "IsLogging": true, + "LatestDeliveryTime": { + "__class__": "datetime", + "year": 2023, + "month": 10, + "day": 15, + "hour": 22, + "minute": 37, + "second": 38, + "microsecond": 982000 + }, + "StartLoggingTime": { + "__class__": "datetime", + "year": 2023, + "month": 10, + "day": 15, + "hour": 13, + "minute": 16, + "second": 49, + "microsecond": 492000 + }, + "LatestCloudWatchLogsDeliveryTime": { + "__class__": "datetime", + "year": 2023, + "month": 10, + "day": 15, + "hour": 22, + "minute": 38, + "second": 0, + "microsecond": 211000 + }, + "LatestDeliveryAttemptTime": "2023-10-15T19:37:38Z", + "LatestNotificationAttemptTime": "", + "LatestNotificationAttemptSucceeded": "", + "LatestDeliveryAttemptSucceeded": "2023-10-15T19:37:38Z", + "TimeLoggingStarted": "2023-10-15T10:16:49Z", + "TimeLoggingStopped": "", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/iam.ListAccountAliases_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/iam.ListAccountAliases_1.json new file mode 100644 index 000000000..3b408e3eb --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/iam.ListAccountAliases_1.json @@ -0,0 +1,10 @@ +{ + "status_code": 200, + "data": { + "AccountAliases": [ + "test" + ], + "IsTruncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/logs.DescribeMetricFilters_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/logs.DescribeMetricFilters_1.json new file mode 100644 index 000000000..1cb05359d --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/logs.DescribeMetricFilters_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "metricFilters": [ + { + "filterName": "067_Unauthorized_API_Calls_green", + "filterPattern": "{(($.errorCode=\"*UnauthorizedOperation\") || ($.errorCode=\"AccessDenied*\")) && (($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\"))}", + "metricTransformations": [ + { + "metricName": "067_Unauthorized_API_Calls_green", + "metricNamespace": "API_Calls", + "metricValue": "1", + "unit": "None" + } + ], + "creationTime": 1697365001970, + "logGroupName": "067_log_group_green" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/monitoring.DescribeAlarmsForMetric_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/monitoring.DescribeAlarmsForMetric_1.json new file mode 100644 index 000000000..4c60be022 --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/monitoring.DescribeAlarmsForMetric_1.json @@ -0,0 +1,60 @@ +{ + "status_code": 200, + "data": { + "MetricAlarms": [ + { + "AlarmName": "067_Unauthorized_API_Calls_green", + "AlarmArn": "arn:aws:cloudwatch:us-east-1:644160558196:alarm:067_Unauthorized_API_Calls_green", + "AlarmConfigurationUpdatedTimestamp": { + "__class__": "datetime", + "year": 2023, + "month": 10, + "day": 15, + "hour": 10, + "minute": 16, + "second": 43, + "microsecond": 353000 + }, + "ActionsEnabled": true, + "OKActions": [], + "AlarmActions": [ + "arn:aws:sns:us-east-1:644160558196:067-sns-green" + ], + "InsufficientDataActions": [], + "StateValue": "INSUFFICIENT_DATA", + "StateReason": "Insufficient Data: 1 datapoint was unknown.", + "StateReasonData": "{\"version\":\"1.0\",\"queryDate\":\"2023-10-15T19:34:23.797+0000\",\"statistic\":\"Sum\",\"period\":300,\"recentDatapoints\":[],\"threshold\":1.0,\"evaluatedDatapoints\":[{\"timestamp\":\"2023-10-15T19:29:00.000+0000\"}]}", + "StateUpdatedTimestamp": { + "__class__": "datetime", + "year": 2023, + "month": 10, + "day": 15, + "hour": 19, + "minute": 34, + "second": 23, + "microsecond": 799000 + }, + "MetricName": "067_Unauthorized_API_Calls_green", + "Namespace": "API_Calls", + "Statistic": "Sum", + "Dimensions": [], + "Period": 300, + "EvaluationPeriods": 1, + "Threshold": 1.0, + "ComparisonOperator": "GreaterThanOrEqualToThreshold", + "TreatMissingData": "missing", + "StateTransitionedTimestamp": { + "__class__": "datetime", + "year": 2023, + "month": 10, + "day": 15, + "hour": 19, + "minute": 34, + "second": 23, + "microsecond": 799000 + } + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/sns.GetTopicAttributes_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/sns.GetTopicAttributes_1.json new file mode 100644 index 000000000..2ef645454 --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-green/sns.GetTopicAttributes_1.json @@ -0,0 +1,21 @@ +{ + "status_code": 200, + "data": { + "Attributes": { + "Policy": "{\"Version\":\"2008-10-17\",\"Id\":\"__default_policy_ID\",\"Statement\":[{\"Sid\":\"__default_statement_ID\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:GetTopicAttributes\",\"SNS:SetTopicAttributes\",\"SNS:AddPermission\",\"SNS:RemovePermission\",\"SNS:DeleteTopic\",\"SNS:Subscribe\",\"SNS:ListSubscriptionsByTopic\",\"SNS:Publish\"],\"Resource\":\"arn:aws:sns:us-east-1:644160558196:067-sns-green\",\"Condition\":{\"StringEquals\":{\"AWS:SourceOwner\":\"644160558196\"}}}]}", + "LambdaSuccessFeedbackSampleRate": "0", + "Owner": "644160558196", + "SubscriptionsPending": "0", + "TopicArn": "arn:aws:sns:us-east-1:644160558196:067-sns-green", + "EffectiveDeliveryPolicy": "{\"http\":{\"defaultHealthyRetryPolicy\":{\"minDelayTarget\":20,\"maxDelayTarget\":20,\"numRetries\":3,\"numMaxDelayRetries\":0,\"numNoDelayRetries\":0,\"numMinDelayRetries\":0,\"backoffFunction\":\"linear\"},\"disableSubscriptionOverrides\":false,\"defaultRequestPolicy\":{\"headerContentType\":\"text/plain; charset=UTF-8\"}}}", + "FirehoseSuccessFeedbackSampleRate": "0", + "SubscriptionsConfirmed": "2", + "SQSSuccessFeedbackSampleRate": "0", + "HTTPSuccessFeedbackSampleRate": "0", + "ApplicationSuccessFeedbackSampleRate": "0", + "DisplayName": "", + "SubscriptionsDeleted": "0" + }, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.DescribeTrails_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.DescribeTrails_1.json new file mode 100644 index 000000000..47516f2ec --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.DescribeTrails_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "trailList": [ + { + "Name": "c7n-067-cloudtrail-red1", + "S3BucketName": "067-bucket-552812-red1", + "IncludeGlobalServiceEvents": true, + "IsMultiRegionTrail": false, + "HomeRegion": "us-east-1", + "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-067-cloudtrail-red1", + "LogFileValidationEnabled": false, + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:644160558196:log-group:067_log_group_red1:*", + "CloudWatchLogsRoleArn": "arn:aws:iam::644160558196:role/067_role_red1", + "HasCustomEventSelectors": false, + "HasInsightSelectors": false, + "IsOrganizationTrail": false + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.GetEventSelectors_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.GetEventSelectors_1.json new file mode 100644 index 000000000..a716f57a9 --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.GetEventSelectors_1.json @@ -0,0 +1,15 @@ +{ + "status_code": 200, + "data": { + "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-067-cloudtrail-red1", + "EventSelectors": [ + { + "ReadWriteType": "All", + "IncludeManagementEvents": true, + "DataResources": [], + "ExcludeManagementEventSources": [] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.GetTrailStatus_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.GetTrailStatus_1.json new file mode 100644 index 000000000..c7dad2f81 --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/cloudtrail.GetTrailStatus_1.json @@ -0,0 +1,63 @@ +{ + "status_code": 200, + "data": { + "IsLogging": true, + "LatestDeliveryTime": { + "__class__": "datetime", + "year": 2023, + "month": 10, + "day": 15, + "hour": 22, + "minute": 47, + "second": 59, + "microsecond": 478000 + }, + "LatestNotificationTime": { + "__class__": "datetime", + "year": 2023, + "month": 10, + "day": 15, + "hour": 22, + "minute": 47, + "second": 59, + "microsecond": 472000 + }, + "StartLoggingTime": { + "__class__": "datetime", + "year": 2022, + "month": 11, + "day": 22, + "hour": 14, + "minute": 8, + "second": 48, + "microsecond": 545000 + }, + "LatestCloudWatchLogsDeliveryTime": { + "__class__": "datetime", + "year": 2023, + "month": 10, + "day": 15, + "hour": 22, + "minute": 49, + "second": 29, + "microsecond": 568000 + }, + "LatestDigestDeliveryTime": { + "__class__": "datetime", + "year": 2023, + "month": 10, + "day": 15, + "hour": 22, + "minute": 21, + "second": 35, + "microsecond": 928000 + }, + "LatestDeliveryAttemptTime": "2023-10-15T19:47:59Z", + "LatestNotificationAttemptTime": "2023-10-15T19:47:59Z", + "LatestNotificationAttemptSucceeded": "2023-10-15T19:47:59Z", + "LatestDeliveryAttemptSucceeded": "2023-10-15T19:47:59Z", + "TimeLoggingStarted": "2022-11-22T12:08:48Z", + "TimeLoggingStopped": "", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/iam.ListAccountAliases_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/iam.ListAccountAliases_1.json new file mode 100644 index 000000000..3b408e3eb --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/iam.ListAccountAliases_1.json @@ -0,0 +1,10 @@ +{ + "status_code": 200, + "data": { + "AccountAliases": [ + "test" + ], + "IsTruncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/logs.DescribeMetricFilters_1.json b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/logs.DescribeMetricFilters_1.json new file mode 100644 index 000000000..e9471b9bb --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/placebo-red/logs.DescribeMetricFilters_1.json @@ -0,0 +1,7 @@ +{ + "status_code": 200, + "data": { + "metricFilters": [], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/red_policy_test.py b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/red_policy_test.py new file mode 100644 index 000000000..97664ae2c --- /dev/null +++ b/tests/ecc-aws-067-unauthorized_api_calls_alarm_exists/red_policy_test.py @@ -0,0 +1,21 @@ +class PolicyTest(object): + + def test_resources_with_client(self, base_test, resources, local_session): + + base_test.assertEqual(len(resources), 1) + + trail_client = local_session.client("cloudtrail") + trail_name = "c7n-067-cloudtrail-red1" + describe_trails = trail_client.describe_trails(trailNameList=[trail_name]) + base_test.assertFalse(describe_trails["trailList"][0]["IsMultiRegionTrail"]) + + trail_status = trail_client.get_trail_status(Name=trail_name) + base_test.assertTrue(trail_status["IsLogging"]) + + event_selectors = trail_client.get_event_selectors(TrailName=trail_name) + base_test.assertEqual(event_selectors["EventSelectors"][0]["ReadWriteType"], "All") + base_test.assertTrue(event_selectors["EventSelectors"][0]["IncludeManagementEvents"]) + + logs_client = local_session.client("logs") + logs_metrics = logs_client.describe_metric_filters(logGroupName="067_log_group_red1") + base_test.assertEqual(logs_metrics["metricFilters"], [])