-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(arn): improve resource ARNs in checks #3388
Changes from 7 commits
583ab69
ab58e46
a4ac401
81ce232
31726a3
1fd3162
1f5afc4
a5d022a
68022e1
049a012
8f614c2
ac12434
68924b3
6f33e1c
8a81b44
3e92eb9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,7 +17,7 @@ def execute(self): | |
report = Check_Report_AWS(self.metadata()) | ||
report.status = "FAIL" | ||
report.status_extended = "No Backup Plan exist." | ||
report.resource_arn = backup_client.audited_account_arn | ||
report.resource_arn = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:backup-plan" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This applies to all the backup checks. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe you can define those ARNs in a single place to use that also for the tests. Maybe it's better to have something in the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good point, it would be a nice-to-have. But I see it complicated, since each check can have a different resource type and we need to use the information of each service. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done! I have added them in each service class. |
||
report.resource_id = backup_client.audited_account | ||
report.region = backup_client.region | ||
findings.append(report) | ||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -23,8 +23,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -23,8 +23,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
|
||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -21,8 +21,8 @@ def execute(self): | |||||
"No CloudWatch log groups found with metric filters or alarms associated." | ||||||
) | ||||||
report.region = cloudwatch_client.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_id = cloudtrail_client.audited_account | ||||||
report.resource_arn = cloudtrail_client.audited_account_arn | ||||||
report.resource_id = logs_client.audited_account | ||||||
report.resource_arn = f"arn:{logs_client.audited_partition}:logs:{logs_client.region}:{logs_client.audited_account}:log-group" | ||||||
report = check_cloudwatch_log_metric_filter( | ||||||
pattern, | ||||||
cloudtrail_client.trails, | ||||||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -8,9 +8,7 @@ def execute(self): | |||||
for recorder in config_client.recorders: | ||||||
report = Check_Report_AWS(self.metadata()) | ||||||
report.region = recorder.region | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
report.resource_arn = ( | ||||||
config_client.audited_account_arn | ||||||
) # Config Recorders do not have ARNs | ||||||
report.resource_arn = f"arn:{config_client.audited_partition}:config:{config_client.region}:{config_client.audited_account}:recorder" # Config Recorders do not have ARNs | ||||||
report.resource_id = ( | ||||||
config_client.audited_account if not recorder.name else recorder.name | ||||||
) | ||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,7 +16,7 @@ def execute(self): | |
report.status_extended = "No EBS Snapshot lifecycle policies found." | ||
report.region = region | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Check this region please. |
||
report.resource_id = dlm_client.audited_account | ||
report.resource_arn = dlm_client.audited_account_arn | ||
report.resource_arn = f"arn:{dlm_client.audited_partition}:dlm:{dlm_client.region}:{dlm_client.audited_account}:policy" | ||
if dlm_client.lifecycle_policies[region]: | ||
report.status = "PASS" | ||
report.status_extended = "EBS snapshot lifecycle policies found." | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,7 +11,7 @@ def execute(self): | |
report.status_extended = "DRS is not enabled for this region." | ||
report.region = drs.region | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Check this region please. |
||
report.resource_tags = [] | ||
report.resource_arn = drs_client.audited_account_arn | ||
report.resource_arn = f"arn:{drs_client.audited_partition}:drs:{drs_client.region}:{drs_client.audited_account}:recovery-job" | ||
report.resource_id = drs_client.audited_account | ||
if drs.status == "ENABLED": | ||
report.status_extended = "DRS is enabled for this region without jobs." | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,7 +8,7 @@ def execute(self): | |
for ebs_encryption in ec2_client.ebs_encryption_by_default: | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = ebs_encryption.region | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Check this region please. |
||
report.resource_arn = ec2_client.audited_account_arn | ||
report.resource_arn = f"arn:{ec2_client.audited_partition}:ec2:{ec2_client.region}:{ec2_client.audited_account}:volume" | ||
report.resource_id = ec2_client.audited_account | ||
if ebs_encryption.status: | ||
report.status = "PASS" | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,7 +9,7 @@ def execute(self): | |
report = Check_Report_AWS(self.metadata()) | ||
report.region = region | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Check this region please. |
||
report.resource_id = emr_client.audited_account | ||
report.resource_arn = emr_client.audited_account_arn | ||
report.resource_arn = f"arn:{emr_client.audited_partition}:elasticmapreduce:{emr_client.region}:{emr_client.audited_account}:cluster" | ||
if emr_client.block_public_access_configuration[ | ||
region | ||
].block_public_security_group_rules: | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,7 +10,7 @@ def execute(self): | |
if encryption.tables or not glue_client.audit_info.ignore_unused_services: | ||
report = Check_Report_AWS(self.metadata()) | ||
report.resource_id = glue_client.audited_account | ||
report.resource_arn = glue_client.audited_account_arn | ||
report.resource_arn = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog" | ||
report.region = encryption.region | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Check this region please. |
||
report.status = "FAIL" | ||
report.status_extended = ( | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,7 +10,7 @@ def execute(self): | |
if encryption.tables or not glue_client.audit_info.ignore_unused_services: | ||
report = Check_Report_AWS(self.metadata()) | ||
report.resource_id = glue_client.audited_account | ||
report.resource_arn = glue_client.audited_account_arn | ||
report.resource_arn = f"arn:{glue_client.audited_partition}:glue:{glue_client.region}:{glue_client.audited_account}:data-catalog" | ||
report.region = encryption.region | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Check this region please. |
||
report.status = "FAIL" | ||
report.status_extended = ( | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Name the result differently than
root
, maybe Service ARN or Resource Type ARN