From e49896e18529e320a5da7aece48b8a72103fd3d0 Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Thu, 14 Dec 2023 10:41:45 +0200 Subject: [PATCH] new: added policy ecc-aws-079-iam_policy_changes_alarm_exist --- ...aws-079-iam_policy_changes_alarm_exist.yml | 20 ------- ...aws-079-iam_policy_changes_alarm_exist.yml | 21 +++++++ .../green/sns.tf | 21 +++---- .../iam/079-policy.json | 9 ++- .../red1/sns.tf | 21 +++---- .../cloudtrail.DescribeTrails_1.json | 22 +++++++ .../cloudtrail.GetEventSelectors_1.json | 15 +++++ .../cloudtrail.GetTrailStatus_1.json | 43 ++++++++++++++ .../iam.ListAccountAliases_1.json | 10 ++++ .../logs.DescribeMetricFilters_1.json | 22 +++++++ .../monitoring.DescribeAlarmsForMetric_1.json | 59 +++++++++++++++++++ .../sns.GetTopicAttributes_1.json | 21 +++++++ .../cloudtrail.DescribeTrails_1.json | 22 +++++++ .../cloudtrail.GetEventSelectors_1.json | 15 +++++ .../cloudtrail.GetTrailStatus_1.json | 33 +++++++++++ .../placebo-red/iam.ListAccountAliases_1.json | 10 ++++ .../logs.DescribeMetricFilters_1.json | 7 +++ .../red_policy_test.py | 21 +++++++ 18 files changed, 341 insertions(+), 51 deletions(-) delete mode 100644 non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml create mode 100644 policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.DescribeTrails_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.GetEventSelectors_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.GetTrailStatus_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/iam.ListAccountAliases_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/logs.DescribeMetricFilters_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/monitoring.DescribeAlarmsForMetric_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/sns.GetTopicAttributes_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.DescribeTrails_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.GetEventSelectors_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.GetTrailStatus_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/iam.ListAccountAliases_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/logs.DescribeMetricFilters_1.json create mode 100644 tests/ecc-aws-079-iam_policy_changes_alarm_exist/red_policy_test.py diff --git a/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml b/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml deleted file mode 100644 index 431104bb4..000000000 --- a/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-079-iam_policy_changes_alarm_exist - comment: '010016012500' - description: | - Log metric filter and alarm do not exist for IAM policy changes - resource: aws.account - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventName=DeleteGroupPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeleteRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeleteUserPolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutGroupPolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutRolePolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=CreatePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeletePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=CreatePolicyVersion ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeletePolicyVersion(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachGroupPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachGroupPolicy ?(\\))?" - op: eq - value: 0 diff --git a/policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml b/policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml new file mode 100644 index 000000000..dde182f56 --- /dev/null +++ b/policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml @@ -0,0 +1,21 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-079-iam_policy_changes_alarm_exist + comment: '010016012500' + description: | + Log metric filter and alarm do not exist for IAM policy changes + resource: aws.account + filters: + - type: check-cloudtrail + multi-region: true + running: true + include-management-events: true + log-metric-filter-pattern: + type: value + op: regex + value: '{ ?\(? ?\$\.eventName ?= ?\"?DeleteGroupPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DeleteRolePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DeleteUserPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?PutGroupPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?PutRolePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?PutUserPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?CreatePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DeletePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?CreatePolicyVersion\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DeletePolicyVersion\"?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?AttachRolePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DetachRolePolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?AttachUserPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DetachUserPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?AttachGroupPolicy\"? ?\)? ?\|\| ?\(? ?\$\.eventName ?= ?\"?DetachGroupPolicy\"? ?\)? ?}' \ No newline at end of file diff --git a/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/green/sns.tf b/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/green/sns.tf index 4c443ef11..50671306a 100644 --- a/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/green/sns.tf +++ b/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/green/sns.tf @@ -2,17 +2,12 @@ resource "aws_sns_topic" "this" { name = "079-sns-green" } -resource "null_resource" "this" { - provisioner "local-exec" { - command = join(" ", [ - "aws sns subscribe", - "--topic-arn ${aws_sns_topic.this.arn}", - "--protocol email", - "--notification-endpoint ${var.test-email}", - "--profile ${var.profile}", - "--region ${var.default-region}" - - ] - ) - } +resource "aws_sqs_queue" "this" { + name = "079-sqs-green" +} + +resource "aws_sns_topic_subscription" "this" { + topic_arn = aws_sns_topic.this.arn + protocol = "sqs" + endpoint = aws_sqs_queue.this.arn } \ No newline at end of file diff --git a/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/iam/079-policy.json b/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/iam/079-policy.json index d4871ce9e..2d2dfde31 100644 --- a/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/iam/079-policy.json +++ b/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/iam/079-policy.json @@ -4,17 +4,16 @@ { "Effect": "Allow", "Action": [ + "iam:ListAccountAliases", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:GetEventSelectors", - "sns:GetTopicAttributes", - "sns:ListTopics", "cloudwatch:DescribeAlarms", "logs:DescribeMetricFilters", - "logs:DescribeLogGroups", - "iam:ListAccountAliases" + "cloudwatch:DescribeAlarmsForMetric", + "sns:GetTopicAttributes" ], "Resource": "*" } ] -} +} \ No newline at end of file diff --git a/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/red1/sns.tf b/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/red1/sns.tf index 7617f5a87..7c125b79f 100644 --- a/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/red1/sns.tf +++ b/terraform/ecc-aws-079-iam_policy_changes_alarm_exist/red1/sns.tf @@ -2,17 +2,12 @@ resource "aws_sns_topic" "this" { name = "079-sns-red1" } -resource "null_resource" "this" { - provisioner "local-exec" { - command = join(" ", [ - "aws sns subscribe", - "--topic-arn ${aws_sns_topic.this.arn}", - "--protocol email", - "--notification-endpoint ${var.test-email}", - "--profile ${var.profile}", - "--region ${var.default-region}" - - ] - ) - } +resource "aws_sqs_queue" "this" { + name = "079-sqs-red" +} + +resource "aws_sns_topic_subscription" "this" { + topic_arn = aws_sns_topic.this.arn + protocol = "sqs" + endpoint = aws_sqs_queue.this.arn } \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.DescribeTrails_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.DescribeTrails_1.json new file mode 100644 index 000000000..c71099f06 --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.DescribeTrails_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "trailList": [ + { + "Name": "c7n-079-cloudtrail-green", + "S3BucketName": "c7n-079-bucket-green", + "IncludeGlobalServiceEvents": true, + "IsMultiRegionTrail": true, + "HomeRegion": "us-east-1", + "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-079-cloudtrail-green", + "LogFileValidationEnabled": false, + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:644160558196:log-group:079_log_group_green:*", + "CloudWatchLogsRoleArn": "arn:aws:iam::644160558196:role/079_role_green", + "HasCustomEventSelectors": false, + "HasInsightSelectors": false, + "IsOrganizationTrail": false + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.GetEventSelectors_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.GetEventSelectors_1.json new file mode 100644 index 000000000..c24f7e2e0 --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.GetEventSelectors_1.json @@ -0,0 +1,15 @@ +{ + "status_code": 200, + "data": { + "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-079-cloudtrail-green", + "EventSelectors": [ + { + "ReadWriteType": "All", + "IncludeManagementEvents": true, + "DataResources": [], + "ExcludeManagementEventSources": [] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.GetTrailStatus_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.GetTrailStatus_1.json new file mode 100644 index 000000000..94513f44a --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/cloudtrail.GetTrailStatus_1.json @@ -0,0 +1,43 @@ +{ + "status_code": 200, + "data": { + "IsLogging": true, + "LatestDeliveryTime": { + "__class__": "datetime", + "year": 2023, + "month": 12, + "day": 14, + "hour": 10, + "minute": 16, + "second": 9, + "microsecond": 691000 + }, + "StartLoggingTime": { + "__class__": "datetime", + "year": 2023, + "month": 12, + "day": 14, + "hour": 9, + "minute": 59, + "second": 49, + "microsecond": 896000 + }, + "LatestCloudWatchLogsDeliveryTime": { + "__class__": "datetime", + "year": 2023, + "month": 12, + "day": 14, + "hour": 10, + "minute": 16, + "second": 49, + "microsecond": 920000 + }, + "LatestDeliveryAttemptTime": "2023-12-14T08:16:09Z", + "LatestNotificationAttemptTime": "", + "LatestNotificationAttemptSucceeded": "", + "LatestDeliveryAttemptSucceeded": "2023-12-14T08:16:09Z", + "TimeLoggingStarted": "2023-12-14T07:59:49Z", + "TimeLoggingStopped": "", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/iam.ListAccountAliases_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/iam.ListAccountAliases_1.json new file mode 100644 index 000000000..3b408e3eb --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/iam.ListAccountAliases_1.json @@ -0,0 +1,10 @@ +{ + "status_code": 200, + "data": { + "AccountAliases": [ + "test" + ], + "IsTruncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/logs.DescribeMetricFilters_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/logs.DescribeMetricFilters_1.json new file mode 100644 index 000000000..1c7d60f36 --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/logs.DescribeMetricFilters_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "metricFilters": [ + { + "filterName": "079_Iam_Policy_Changes_green", + "filterPattern": "{($.eventName=DeleteGroupPolicy) || ($.eventName=DeleteRolePolicy) || ($.eventName=DeleteUserPolicy) || ($.eventName=PutGroupPolicy) || ($.eventName=PutRolePolicy) || ($.eventName=PutUserPolicy) || ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=CreatePolicyVersion) || ($.eventName=DeletePolicyVersion) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ($.eventName=AttachUserPolicy) || ($.eventName=DetachUserPolicy) || ($.eventName=AttachGroupPolicy) || ($.eventName=DetachGroupPolicy)}", + "metricTransformations": [ + { + "metricName": "079_Iam_Policy_Changes_green", + "metricNamespace": "IAM_Policy_Changes", + "metricValue": "1", + "unit": "None" + } + ], + "creationTime": 1702540781872, + "logGroupName": "079_log_group_green" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/monitoring.DescribeAlarmsForMetric_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/monitoring.DescribeAlarmsForMetric_1.json new file mode 100644 index 000000000..54b452f8a --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/monitoring.DescribeAlarmsForMetric_1.json @@ -0,0 +1,59 @@ +{ + "status_code": 200, + "data": { + "MetricAlarms": [ + { + "AlarmName": "079_Iam_Policy_Changes_green", + "AlarmArn": "arn:aws:cloudwatch:us-east-1:644160558196:alarm:079_Iam_Policy_Changes_green", + "AlarmConfigurationUpdatedTimestamp": { + "__class__": "datetime", + "year": 2023, + "month": 12, + "day": 14, + "hour": 7, + "minute": 59, + "second": 43, + "microsecond": 287000 + }, + "ActionsEnabled": true, + "OKActions": [], + "AlarmActions": [ + "arn:aws:sns:us-east-1:644160558196:079-sns-green" + ], + "InsufficientDataActions": [], + "StateValue": "INSUFFICIENT_DATA", + "StateReason": "Unchecked: Initial alarm creation", + "StateUpdatedTimestamp": { + "__class__": "datetime", + "year": 2023, + "month": 12, + "day": 14, + "hour": 7, + "minute": 59, + "second": 43, + "microsecond": 287000 + }, + "MetricName": "079_Iam_Policy_Changes_green", + "Namespace": "IAM_Policy_Changes", + "Statistic": "Sum", + "Dimensions": [], + "Period": 300, + "EvaluationPeriods": 1, + "Threshold": 1.0, + "ComparisonOperator": "GreaterThanOrEqualToThreshold", + "TreatMissingData": "missing", + "StateTransitionedTimestamp": { + "__class__": "datetime", + "year": 2023, + "month": 12, + "day": 14, + "hour": 7, + "minute": 59, + "second": 43, + "microsecond": 287000 + } + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/sns.GetTopicAttributes_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/sns.GetTopicAttributes_1.json new file mode 100644 index 000000000..eb24dc461 --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-green/sns.GetTopicAttributes_1.json @@ -0,0 +1,21 @@ +{ + "status_code": 200, + "data": { + "Attributes": { + "Policy": "{\"Version\":\"2008-10-17\",\"Id\":\"__default_policy_ID\",\"Statement\":[{\"Sid\":\"__default_statement_ID\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:GetTopicAttributes\",\"SNS:SetTopicAttributes\",\"SNS:AddPermission\",\"SNS:RemovePermission\",\"SNS:DeleteTopic\",\"SNS:Subscribe\",\"SNS:ListSubscriptionsByTopic\",\"SNS:Publish\"],\"Resource\":\"arn:aws:sns:us-east-1:644160558196:079-sns-green\",\"Condition\":{\"StringEquals\":{\"AWS:SourceOwner\":\"644160558196\"}}}]}", + "LambdaSuccessFeedbackSampleRate": "0", + "Owner": "644160558196", + "SubscriptionsPending": "0", + "TopicArn": "arn:aws:sns:us-east-1:644160558196:079-sns-green", + "EffectiveDeliveryPolicy": "{\"http\":{\"defaultHealthyRetryPolicy\":{\"minDelayTarget\":20,\"maxDelayTarget\":20,\"numRetries\":3,\"numMaxDelayRetries\":0,\"numNoDelayRetries\":0,\"numMinDelayRetries\":0,\"backoffFunction\":\"linear\"},\"disableSubscriptionOverrides\":false,\"defaultRequestPolicy\":{\"headerContentType\":\"text/plain; charset=UTF-8\"}}}", + "FirehoseSuccessFeedbackSampleRate": "0", + "SubscriptionsConfirmed": "1", + "SQSSuccessFeedbackSampleRate": "0", + "HTTPSuccessFeedbackSampleRate": "0", + "ApplicationSuccessFeedbackSampleRate": "0", + "DisplayName": "", + "SubscriptionsDeleted": "0" + }, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.DescribeTrails_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.DescribeTrails_1.json new file mode 100644 index 000000000..15a68315d --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.DescribeTrails_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "trailList": [ + { + "Name": "c7n-079-cloudtrail-red", + "S3BucketName": "c7n-079-bucket-red", + "IncludeGlobalServiceEvents": true, + "IsMultiRegionTrail": false, + "HomeRegion": "us-east-1", + "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-079-cloudtrail-red", + "LogFileValidationEnabled": false, + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:644160558196:log-group:079_log_group_red:*", + "CloudWatchLogsRoleArn": "arn:aws:iam::644160558196:role/079_role_red", + "HasCustomEventSelectors": false, + "HasInsightSelectors": false, + "IsOrganizationTrail": false + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.GetEventSelectors_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.GetEventSelectors_1.json new file mode 100644 index 000000000..cce46dce4 --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.GetEventSelectors_1.json @@ -0,0 +1,15 @@ +{ + "status_code": 200, + "data": { + "TrailARN": "arn:aws:cloudtrail:us-east-1:644160558196:trail/c7n-079-cloudtrail-red", + "EventSelectors": [ + { + "ReadWriteType": "All", + "IncludeManagementEvents": true, + "DataResources": [], + "ExcludeManagementEventSources": [] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.GetTrailStatus_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.GetTrailStatus_1.json new file mode 100644 index 000000000..1caa89473 --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/cloudtrail.GetTrailStatus_1.json @@ -0,0 +1,33 @@ +{ + "status_code": 200, + "data": { + "IsLogging": true, + "StartLoggingTime": { + "__class__": "datetime", + "year": 2023, + "month": 12, + "day": 14, + "hour": 10, + "minute": 27, + "second": 28, + "microsecond": 191000 + }, + "LatestCloudWatchLogsDeliveryTime": { + "__class__": "datetime", + "year": 2023, + "month": 12, + "day": 14, + "hour": 10, + "minute": 29, + "second": 0, + "microsecond": 661000 + }, + "LatestDeliveryAttemptTime": "", + "LatestNotificationAttemptTime": "", + "LatestNotificationAttemptSucceeded": "", + "LatestDeliveryAttemptSucceeded": "", + "TimeLoggingStarted": "2023-12-14T08:27:28Z", + "TimeLoggingStopped": "", + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/iam.ListAccountAliases_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/iam.ListAccountAliases_1.json new file mode 100644 index 000000000..3b408e3eb --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/iam.ListAccountAliases_1.json @@ -0,0 +1,10 @@ +{ + "status_code": 200, + "data": { + "AccountAliases": [ + "test" + ], + "IsTruncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/logs.DescribeMetricFilters_1.json b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/logs.DescribeMetricFilters_1.json new file mode 100644 index 000000000..e9471b9bb --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/placebo-red/logs.DescribeMetricFilters_1.json @@ -0,0 +1,7 @@ +{ + "status_code": 200, + "data": { + "metricFilters": [], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-079-iam_policy_changes_alarm_exist/red_policy_test.py b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/red_policy_test.py new file mode 100644 index 000000000..71b6a5306 --- /dev/null +++ b/tests/ecc-aws-079-iam_policy_changes_alarm_exist/red_policy_test.py @@ -0,0 +1,21 @@ +class PolicyTest(object): + + def test_resources_with_client(self, base_test, resources, local_session): + base_test.assertEqual(len(resources), 1) + + trail_client = local_session.client("cloudtrail") + trail_name = "c7n-079-cloudtrail-red" + describe_trails = trail_client.describe_trails(trailNameList=[trail_name]) + base_test.assertFalse(describe_trails["trailList"][0]["IsMultiRegionTrail"]) + base_test.assertTrue(describe_trails["trailList"][0]["IncludeGlobalServiceEvents"]) + + trail_status = trail_client.get_trail_status(Name=trail_name) + base_test.assertTrue(trail_status["IsLogging"]) + + event_selectors = trail_client.get_event_selectors(TrailName=trail_name) + base_test.assertEqual(event_selectors["EventSelectors"][0]["ReadWriteType"], "All") + base_test.assertTrue(event_selectors["EventSelectors"][0]["IncludeManagementEvents"]) + + logs_client = local_session.client("logs") + logs_metrics = logs_client.describe_metric_filters(logGroupName="079_log_group_red") + base_test.assertEqual(logs_metrics["metricFilters"], [])