Add extra checks glue queries (#426)

query/elb/elb_listener_use_secure_ssl_cipher.sql

@@ -17,4 +17,4 @@ select
   region,
   account_id
 from
-  aws_ec2_load_balancer_listener;
+  aws_ec2_load_balancer_listener;

query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql

@@ -0,0 +1,15 @@
+select
+  -- Required Columns
+  case
+    when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'ok'
+    else 'alarm'
+  end as "status",
+  case
+    when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'enabled glue data catalog metadata encryption in ' || region
+    else 'disabled glue data catalog metadata encryption in ' || region
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_glue_data_catalog_encryption_settings;

query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql

@@ -0,0 +1,15 @@
+select
+  -- Required Columns
+  case
+    when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'ok'
+    else 'alarm'
+  end as "status",
+  case
+    when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'enabled glue data catalog connection password encryption in ' || region
+    else 'disabled glue data catalog connection password encryption in ' || region
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_glue_data_catalog_encryption_settings;

query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql

@@ -0,0 +1,17 @@
+select
+  -- Required Columns
+  e.arn as resource,
+  case
+    when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then e.title || ' CloudWatch logs encryption enabled.'
+    else e.title || ' CloudWatch logs encryption disabled.'
+  end as reason,
+  -- Additional Dimensions
+  e.region,
+  e.account_id
+from
+  aws_glue_dev_endpoint as e
+  left join aws_glue_security_configuration as c on e.security_configuration = c.name;

query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql

@@ -0,0 +1,17 @@
+select
+  -- Required Columns
+  e.arn as resource,
+  case
+    when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok'
+    else 'alarm'
+  end as "status",
+  case
+    when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then e.title || ' job bookmarks encryption enabled.'
+    else e.title || ' job bookmarks encryption disabled.'
+  end as reason,
+  -- Additional Dimensions
+  e.region,
+  e.account_id
+from
+  aws_glue_dev_endpoint as e
+  left join aws_glue_security_configuration as c on e.security_configuration = c.name;

query/glue/glue_dev_endpoint_s3_encryption_enabled.sql

@@ -0,0 +1,18 @@
+select
+  -- Required Columns
+  d.arn as resource,
+  case
+    when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok'
+    else 'alarm'
+  end as "status",
+  case
+    when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' s3 encryption enabled.'
+    else d.title || ' s3 encryption disabled.'
+  end as reason,
+  -- Additional Dimensions
+  d.region,
+  d.account_id
+from
+  aws_glue_dev_endpoint as d
+  left join aws_glue_security_configuration s on d.security_configuration = s.name,
+  jsonb_array_elements(s.s3_encryption) e;

query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql

@@ -0,0 +1,17 @@
+select
+  -- Required Columns
+  j.arn as resource,
+  case
+    when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then j.title || ' CloudWatch logs encryption enabled.'
+    else j.title || ' CloudWatch logs encryption disabled.'
+  end as reason,
+  -- Additional Dimensions
+  j.region,
+  j.account_id
+from
+  aws_glue_job as j
+  left join aws_glue_security_configuration as c on j.security_configuration = c.name;

query/glue/glue_job_job_bookmarks_encryption_enabled.sql

@@ -0,0 +1,17 @@
+select
+  -- Required Columns
+  j.arn as resource,
+  case
+    when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then j.title || ' job bookmarks encryption enabled.'
+    else j.title || ' job bookmarks encryption disabled.'
+  end as reason,
+  -- Additional Dimensions
+  j.region,
+  j.account_id
+from
+  aws_glue_job as j
+  left join aws_glue_security_configuration as c on j.security_configuration = c.name;

query/glue/glue_job_s3_encryption_enabled.sql

@@ -0,0 +1,18 @@
+select
+  -- Required Columns
+  j.arn as resource,
+  case
+    when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then j.title || ' enabled s3 encryption.'
+    else j.title || ' disabled s3 encryption.'
+  end as reason,
+  -- Additional Dimensions
+  j.region,
+  j.account_id
+from
+  aws_glue_job as j
+  left join aws_glue_security_configuration as s on j.security_configuration = s.name,
+  jsonb_array_elements(s.s3_encryption) e;

query/securityhub/securityhub_standards_subscription_enabled.sql

@@ -13,4 +13,4 @@ select
   region,
   account_id
 from
-  aws_securityhub_standards_subscription;
+  aws_securityhub_standards_subscription;