feat(compliance): new aws list-accounts command

This new command will list all AWS accounts configured in the user's Lacework account. If there are no AWS accounts configured, the following message will be displayed: ``` $ lacework compliance aws list There are no AWS accounts configured in your account. Get started by integrating your AWS accounts to analyze configuration compliance using the command: $ lacework integration create Or, if you prefer to do it via the WebUI, log in to your account at: https://my-account.lacework.net Then navigate to Settings > Integrations > Cloud Accounts. ``` Signed-off-by: Salim Afiune Maya <[email protected]>
lacework · Dec 1, 2020 · 705f2eb · 705f2eb
1 parent 52d23b3
commit 705f2eb
Show file tree

Hide file tree

Showing 4 changed files with 96 additions and 34 deletions.
diff --git a/api/integrations_aws.go b/api/integrations_aws.go
@@ -174,6 +174,9 @@ type AwsIntegrationData struct {
 	//
 	// [ENCODING] is the the base64 encode, use EncodeAccountMappingFile() to encode a JSON mapping file
 	AccountMappingFile string `json:"ACCOUNT_MAPPING_FILE,omitempty" mapstructure:"ACCOUNT_MAPPING_FILE"`
+
+	// AwsAccountID is the AWS account that owns the IAM role credentials
+	AwsAccountID string `json:"AWS_ACCOUNT_ID,omitempty" mapstructure:"AWS_ACCOUNT_ID"`
 }
 
 func (aws *AwsIntegrationData) EncodeAccountMappingFile(mapping string) {

diff --git a/cli/cmd/compliance.go b/cli/cmd/compliance.go
@@ -51,10 +51,13 @@ var (
 		Use:     "compliance",
 		Aliases: []string{"comp"},
 		Short:   "manage compliance reports",
-		Long: `Manage compliance reports for GCP, Azure, or AWS cloud providers.
+		Long: `Manage compliance reports for Google, Azure, or AWS cloud providers.
 
-To start sending data about your environment to Lacework for compliance reporting
-analysis, configure one or more cloud integration using the following command:
+Lacework cloud security platform provides continuous Compliance monitoring against
+cloud security best practices and compliance standards as CIS, PCI DSS, SoC II and
+HIPAA benchmark standards.
+
+Get started by integrating one or more cloud accounts using the command:
 
     $ lacework integration create
 
@@ -74,8 +77,8 @@ Use the following command to list all available integrations in your account:
 	complianceAzureCmd = &cobra.Command{
 		Use:     "azure",
 		Aliases: []string{"az"},
-		Short:   "compliance for Microsoft Azure",
-		Long: `Manage compliance reports for Microsoft Azure.
+		Short:   "compliance for Azure Cloud",
+		Long: `Manage compliance reports for Azure Cloud.
 
 To get the latest Azure compliance assessment report, use the command:
 
@@ -105,8 +108,9 @@ To run an ad-hoc compliance assessment use the command:
 
 	// complianceGcpCmd represents the gcp sub-command inside the compliance command
 	complianceGcpCmd = &cobra.Command{
-		Use:   "gcp",
-		Short: "compliance for Google Cloud",
+		Use:     "google",
+		Aliases: []string{"gcp"},
+		Short:   "compliance for Google Cloud",
 		Long: `Manage compliance reports for Google Cloud.
 
 To get the latest GCP compliance assessment report, use the command:
@@ -139,25 +143,19 @@ To run an ad-hoc compliance assessment use the command:
 	complianceAwsCmd = &cobra.Command{
 		Use:   "aws",
 		Short: "compliance for AWS",
-		Long: `Manage compliance reports for Amazon Web Services.
-
-To get the latest AWS compliance assessment report, use the command:
-
-    $ lacework compliance aws get-report <account_id>
+		Long: `Manage compliance reports for Amazon Web Services (AWS).
 
-These reports run on a regular schedule, typically once a day.
+To list all AWS accounts configured in your account:
 
-To find out which AWS accounts are connected to you Lacework account,
-use the following command:
+    $ lacework compliance aws list-accounts
 
-    $ lacework integrations list --type AWS_CFG
+To get the latest AWS compliance assessment report:
 
-Then, choose one integration, copy the GUID and visualize its details
-using the command:
+    $ lacework compliance aws get-report <account_id>
 
-    $ lacework integration show <int_guid>
+These reports run on a regular schedule, typically once a day.
 
-To run an ad-hoc compliance assessment use the command:
+To run an ad-hoc compliance assessment:
 
     $ lacework compliance aws run-assessment <account_id>
 `,

diff --git a/cli/cmd/compliance_aws.go b/cli/cmd/compliance_aws.go
@@ -31,6 +31,49 @@ import (
 )
 
 var (
+	// complianceAwsListAccountsCmd represents the list-accounts inside the aws command
+	complianceAwsListAccountsCmd = &cobra.Command{
+		Use:     "list-accounts",
+		Aliases: []string{"list"},
+		Short:   "list all AWS accounts configured",
+		Long:    `List all AWS accounts configured in your account.`,
+		Args:    cobra.NoArgs,
+		RunE: func(_ *cobra.Command, _ []string) error {
+			awsIntegrations, err := cli.LwApi.Integrations.ListAwsCfg()
+			if err != nil {
+				return errors.Wrap(err, "unable to get aws compliance integrations")
+			}
+			if len(awsIntegrations.Data) == 0 {
+				msg := `There are no AWS accounts configured in your account.
+
+Get started by integrating your AWS accounts to analyze configuration compliance using the command:
+
+    $ lacework integration create
+
+Or, if you prefer to do it via the WebUI, log in to your account at:
+
+    https://%s.lacework.net
+
+Then navigate to Settings > Integrations > Cloud Accounts.
+`
+				cli.OutputHuman(fmt.Sprintf(msg, cli.Account))
+				return nil
+			}
+
+			awsAccounts := make([]string, 0)
+			for _, i := range awsIntegrations.Data {
+				awsAccounts = append(awsAccounts, i.Data.AwsAccountID)
+			}
+
+			if cli.JSONOutput() {
+				return cli.OutputJSON(awsAccounts)
+			}
+
+			cli.OutputHuman(buildAwsComplianceAccountsTable(awsAccounts))
+			return nil
+		},
+	}
+
 	// complianceAwsGetReportCmd represents the get-report sub-command inside the aws command
 	complianceAwsGetReportCmd = &cobra.Command{
 		Use:     "get-report <account_id>",
@@ -47,18 +90,15 @@ var (
 			}
 		},
 		Short: "get the latest AWS compliance report",
-		Long: `Get the latest AWS compliance assessment report, these reports run on a regular schedule,
-typically once a day. The available report formats are human-readable (default), json and pdf.
-
-To find out which AWS accounts are connected to you Lacework account, use the following command:
+		Long: `Get the latest compliance assessment report from the provided AWS account, these
+reports run on a regular schedule, typically once a day. The available report formats
+are human-readable (default), json and pdf.
 
-    $ lacework integrations list --type AWS_CFG
+To list all AWS accounts configured in your account:
 
-Then, choose one integration, copy the GUID and visualize its details using the command:
+    $ lacework compliance aws list-accounts
 
-    $ lacework integration show <int_guid>
-
-To run an ad-hoc compliance assessment use the command:
+To run an ad-hoc compliance assessment of an AWS account:
 
     $ lacework compliance aws run-assessment <account_id>
 `,
@@ -151,6 +191,7 @@ To run an ad-hoc compliance assessment use the command:
 func init() {
 	// add sub-commands to the aws command
 	complianceAwsCmd.AddCommand(complianceAwsGetReportCmd)
+	complianceAwsCmd.AddCommand(complianceAwsListAccountsCmd)
 	complianceAwsCmd.AddCommand(complianceAwsRunAssessmentCmd)
 
 	complianceAwsGetReportCmd.Flags().BoolVar(&compCmdState.Details, "details", false,
@@ -193,3 +234,20 @@ func complianceAwsReportDetailsTable(report *api.ComplianceAwsReport) [][]string
 		[]string{"Report Time", report.ReportTime.UTC().Format(time.RFC3339)},
 	}
 }
+
+func buildAwsComplianceAccountsTable(accounts []string) string {
+	var (
+		tBuilder = &strings.Builder{}
+		t        = tablewriter.NewWriter(tBuilder)
+	)
+
+	t.SetHeader([]string{"AWS Accounts"})
+	t.SetBorder(false)
+	t.SetAutoWrapText(false)
+	for _, acc := range accounts {
+		t.Append([]string{acc})
+	}
+	t.Render()
+
+	return tBuilder.String()
+}
diff --git a/integration/compliance_test.go b/integration/compliance_test.go
@@ -27,10 +27,13 @@ import (
 func TestComplianceCommandHelp(t *testing.T) {
 	out, err, exitcode := LaceworkCLI("help", "compliance")
 	assert.Equal(t,
-		`Manage compliance reports for GCP, Azure, or AWS cloud providers.
+		`Manage compliance reports for Google, Azure, or AWS cloud providers.
 
-To start sending data about your environment to Lacework for compliance reporting
-analysis, configure one or more cloud integration using the following command:
+Lacework cloud security platform provides continuous Compliance monitoring against
+cloud security best practices and compliance standards as CIS, PCI DSS, SoC II and
+HIPAA benchmark standards.
+
+Get started by integrating one or more cloud accounts using the command:
 
     $ lacework integration create
 
@@ -52,8 +55,8 @@ Aliases:
 
 Available Commands:
   aws         compliance for AWS
-  azure       compliance for Microsoft Azure
-  gcp         compliance for Google Cloud
+  azure       compliance for Azure Cloud
+  google      compliance for Google Cloud
 
 Flags:
   -h, --help   help for compliance