-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect report for CIS 3.5 (AWS Config) #26
Comments
@bwhaley Thanks for the report! Our query does look incorrect and should only alarm for the account if no region has I also believe we have another issue for this query which could prevent it from returning the correct result (#27), so we'll look into both of these issues and see how we can get the control working properly. Related to the other potential bug above, can you please paste here what |
Reported here |
Adding onto this, when I added 22 regions to the ~/.steampipe/config/aws.spc file as below:
As you can see, there are 22-16 = 6 regions where the check fails. In this particular AWS account, I can confirm that we have AWS Config disabled for those 6 regions. So I'm not sure this is a bug, actually. |
@rhoboat Appreciate checking this out. The result you have mentioned is correct for the use case you have tested. We have already addressed this issue in detail here. I guess it's time to close this one with a good test result from you 😄 Once again thank you 👍 for responding. Pls keep us posted, in case you come across any other observations |
Describe the bug
The CIS 3.5 control requires that only one region has
includeGlobalResourceTypes
enabled. However, this check appears to fail unlessincludeGlobalResourceTypes
istrue
in every region.Steampipe version (
steampipe -v
)0.5.0
Plugin version (
steampipe plugin list
)hub.steampipe.io/plugins/turbot/aws@latest | 0.18.0 | aws
To reproduce
includeGlobalResourceTypes
istrue
.steampipe check benchmark.cis_v130
ALARM
state for every region except the region whereincludeGlobalResourceTypes
istrue
.Expected behavior
As long as one region has
IncludeGlobalResourceTypes
enabled, all regions should reportOK
.The text was updated successfully, but these errors were encountered: