-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updates needed to fully support the CIS AWS Foundations Benchmark v2.0.0 #981
Draft
aaronlippold
wants to merge
93
commits into
inspec:main
Choose a base branch
from
mitre:al_resource_updates
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Aaron Lippold <lippold@gmail.com>
✅ Deploy Preview for inspec-aws canceled.
|
aaronlippold
changed the title
Recreating #977 on a fresh pull from main
Recreating #971 on a fresh pull from main
Nov 14, 2023
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Fixed error collection in constructor to not incorrectly fail * Updated warning message to not add extra '.' in outputs Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
- added documenation for all four resources - added an alias for `configured?` to point to `exist?` Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
aaronlippold
changed the title
Recreating #971 on a fresh pull from main
Updates to the resource pack to add aws-account resources, updates to aws-iam-access-key
Nov 18, 2023
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added the aws-alternate-contact resource * updated and standardized coding for security, billing and operations resources * added documentation for the aws-alternate-contact resource Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Need to add region as a optional pram to the constructor Signed-off-by: Aaron Lippold <lippold@gmail.com>
- added aws_iam_access_analyzers plural resource - updated aws_regions and aws_region to expose opt_in data - update aws_regions(s) docs Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
- removed unneeded aws_region update of clint args - made feedback on allowed account types more direct - failed fast on param errors Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
…y easier test writing Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Will Dower <wdow95@hotmail.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
… updated monitored? method to work better with lists of buckets Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
…vent selectors Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
…ically does it for us anywhay Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <will@dower.dev>
This needs to be cleaned up and documented so we can make a PR to chef to get it off our plate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
General updates, fixes and new resources to the resource pack to support the cis-aws-foundations-v2 benchmark.
Add a resource for the aws-iam-credential-report endpoint
Add a resources for the aws-accounts-endpoint (primary, billing, security and operations)
Add Resource For AWS Macie2 (Related Updated Deps for All Gems train-aws#519)
train-aws
(Related Updated Deps for All Gems train-aws#519)Updates to
aws_s3_bucket
prevent_public_access_by_account?
using current aws-sdk-s3control v 1.77 working gem (Related Updated Deps for All Gems train-aws#519)prevent_public_access
prevent_public_access
aspreventing_public_access_via_bucket
for readability.prevent_public_access_by_account
aspreventing_public_access_by_account
for readability.catch_aws_errors
to API call given we are handling the exceptions in the matcher.Correct errors in the iam_policy documentation
Fix docs/example for IAM Users (it's currently the one from IAM User)
Fix the resource_id and to_s functions for cloud watch log metric filter so that it handles the case when there are no metric filters
Fix iam_access_keys
Current Resource Pack Errors
Likely mishandled exceptions missing from
aws_backend
and orcatch_aws_errors
[2023-11-14T11:23:01-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User emailoctopus cannot be found.. You should address this error to ensure your controls are behaving as expected.
[2023-11-14T11:23:02-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User inspec_aws cannot be found.. You should address this error to ensure your controls are behaving as expected.
[2023-11-14T11:23:02-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User ses-smtp-user.20191012-150745 cannot be found.. You should address this error to ensure your controls are behaving as expected.
[2023-11-14T11:23:29-05:00] WARN: AWS IAM Credential Report still being generated - attempt 1/5.
[2023-11-14T11:25:12-05:00] WARN: No contact of the inputted alternate contact type found.
[2023-11-14T11:25:12-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_password_policy. Error message: The Password Policy with domain name 916481805664 cannot be found.. You should address this error to ensure your controls are behaving as expected.
[2023-11-14T11:25:12-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_password_policy. Error message: The Password Policy with domain name 916481805664 cannot be found.. You should address this error to ensure your controls are behaving as expected.