Merge pull request #556 from turbot/release/v0.56

Release/v0.56
turbot · Feb 3, 2023 · c7cea47 · c7cea47
2 parents d29735d + 92e43f5
commit c7cea47
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## v0.56 [2023-02-03]
+
+_Bug fixes_
+
+- Fixed the `guardduty_enabled` query to no longer report false positive results on accounts which are members of an AWS organization where GuardDuty is managed by another account via Delegated Admin. ([#551](https://github.com/turbot/steampipe-mod-aws-compliance/pull/551))
+- Fixed the `ec2_instance_ssm_managed` query to return `info` instead of an `error` for instances that are in stopped state and are not managed by SSM. ([#550](https://github.com/turbot/steampipe-mod-aws-compliance/pull/550))
+
 ## v0.55 [2023-01-20]
 
 _Dependencies_

diff --git a/query/guardduty/guardduty_enabled.sql b/query/guardduty/guardduty_enabled.sql
@@ -5,14 +5,16 @@ select
     when r.region = any(array['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) then 'skip'
     -- Skip any regions that are disabled in the account.
     when r.opt_in_status = 'not-opted-in' then 'skip'
-    when status = 'ENABLED' then 'ok'
+    when status = 'ENABLED' and master_account ->> 'AccountId' is null then 'ok'
+    when status = 'ENABLED' and master_account ->> 'AccountId' is not null then 'info'
     else 'alarm'
   end as status,
   case
     when r.region = any(array['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) then r.region || ' region not supported.'
     when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'
     when status is null then 'No GuardDuty detector found in ' || r.region || '.'
-    when status = 'ENABLED' then r.region || ' detector ' || d.title || ' enabled.'
+    when status = 'ENABLED' and master_account ->> 'AccountId' is null then r.region || ' detector ' || d.title || ' enabled.'
+    when status = 'ENABLED' and master_account ->> 'AccountId' is not null then r.region || ' detector ' || d.title || ' is managed by account ' || (master_account ->> 'AccountId') ||  ' via delegated admin.'
     else r.region || ' detector ' || d.title || ' disabled.'
   end as reason,
   -- Additional Dimensions

diff --git a/query/ssm/ec2_instance_ssm_managed.sql b/query/ssm/ec2_instance_ssm_managed.sql
@@ -2,10 +2,12 @@ select
   -- Required Columns
   i.arn as resource,
   case
+    when i.instance_state = 'stopped' then 'info'
     when m.instance_id is null then 'alarm'
     else 'ok'
   end as status,
   case
+    when i.instance_state = 'stopped' then i.title || ' is in stopped state.'
     when m.instance_id is null then i.title || ' not managed by AWS SSM.'
     else i.title || ' managed by AWS SSM.'
   end as reason,