Skip to content
This repository has been archived by the owner on Sep 26, 2023. It is now read-only.

Unique Asset Identifier is not unique #173

Open
kevinb-nomi opened this issue Dec 4, 2020 · 4 comments
Open

Unique Asset Identifier is not unique #173

kevinb-nomi opened this issue Dec 4, 2020 · 4 comments
Labels
bug Something isn't working

Comments

@kevinb-nomi
Copy link

Many resource types seem to use the resource name as the Unique Asset Identifier which results in many duplicates.
e.g. Creating a Lambda function called test and a SQS queue called test will result in duplicate Unique Asset Identifiers "test".

Should the Unique Asset Identifier be the ARN or similar? as it should be unique across resources, regions, and accounts.

@itmecho itmecho added the bug Something isn't working label Dec 7, 2020
@itmecho
Copy link
Contributor

itmecho commented Dec 7, 2020

Ooh that's a good point. I think this was from an older version where we weren't generating arn's for all entries.

If we check that all entries now have an arn, I think it's a good idea to use that as the Unique Asset Identifier like you suggest. If not, we might have to construct one, something like service:region:name, e.g. sqs:us-east-1:my-queue.

We will also need to decide if we want to keep the name in the inventory in another field, maybe Comments

@kevinb-nomi
Copy link
Author

@reedloden
Copy link
Contributor

The Unique Asset Identifier is generally unique per Asset Type (per region per account where it matters). However, it's not unique for the entire column.

From the inventory template:

UNIQUE ASSET IDENTIFIER
Unique Identifier associated with the asset. This Identifier should be used consistently across all documents, 3PAOs artifacts, and any vulnerability scanning tools. For OS/Infrastructure and Web Application Software, this is typically an IP address or URL/DNS name. For a database, it is typically an IP address, URL, or database name. A CSP's own naming scheme is also acceptable as long as it has unique identifiers.

ARNs aren't used in most other documents or in vulnerability scanning tools, so slightly skeptical about using it as such.

If we move the ARN from Serial #/Asset Tag# to Unique Asset Identifier, I do think we need to put the current contents of Unique Asset Identifier somewhere else. I'm just skeptical about putting them in Comments, as I would like to be able to sort based on them, which can't be easily done when we're already overloading Comments for other things.

Would welcome thoughts...

@reedloden
Copy link
Contributor

Btw, I migrated to using this - https://aws.amazon.com/blogs/publicsector/automating-creation-fedramp-integrated-inventory-workbook/

I reviewed the code (https://github.com/aws-samples/fedramp-integrated-inventory-workbook) for that blog post recently, and it is pretty lacking and has several bugs. For one, it adds a duplicate row if something has multiple IP addresses, which doesn't make any sense to me. Also, it only supports EC2, ELB/ELBv2, RDS, and DynamoDB -- but misses a lot of the important details to actually make such an inventory useful. So, I would not recommend using.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants