From b6e0313beab6666a7e4f1e07866f1057367c78ae Mon Sep 17 00:00:00 2001 From: Thomas Date: Fri, 26 Nov 2021 07:37:54 +0100 Subject: [PATCH] feat(aws/cis): fix config query (#325) --- query/config/config_enabled_all_regions.sql | 23 +++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/query/config/config_enabled_all_regions.sql b/query/config/config_enabled_all_regions.sql index e2c236c5..6f9dd133 100644 --- a/query/config/config_enabled_all_regions.sql +++ b/query/config/config_enabled_all_regions.sql @@ -1,17 +1,31 @@ -- pgFormatter-ignore - +-- Get count for any region with all matching criteria +with global_recorders as ( + select + count(*) as global_config_recorders + from + aws_config_configuration_recorder + where + recording_group -> 'IncludeGlobalResourceTypes' = 'true' + and recording_group -> 'AllSupported' = 'true' + and status ->> 'Recording' = 'true' + and status ->> 'LastStatus' = 'SUCCESS' + ) select -- Required columns 'arn:aws::' || a.region || ':' || a.account_id as resource, case + -- When any of the region satisfies with above CTE + -- In left join of table, regions now having + -- 'Recording' and 'LastStatus' matching criteria can be considered as OK when - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - and recording_group -> 'AllSupported' = 'true' + g.global_config_recorders >= 1 and status ->> 'Recording' = 'true' and status ->> 'LastStatus' = 'SUCCESS' then 'ok' else 'alarm' end as status, + -- Below cases are for citing respective reasons for control state case when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' else a.region || ' IncludeGlobalResourceTypes disabled,' @@ -32,6 +46,7 @@ select a.region, a.account_id from + global_recorders as g, aws_region as a - left join aws_config_configuration_recorder as r + left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name;