From 1575c4d4b41cbab48d173a12c9f768f2520c1f85 Mon Sep 17 00:00:00 2001 From: ecktom Date: Mon, 22 Nov 2021 16:03:27 +0100 Subject: [PATCH 1/2] feat(aws/cis): fix config query --- query/config/config_enabled_all_regions.sql | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/query/config/config_enabled_all_regions.sql b/query/config/config_enabled_all_regions.sql index e2c236c5..55a1565c 100644 --- a/query/config/config_enabled_all_regions.sql +++ b/query/config/config_enabled_all_regions.sql @@ -1,11 +1,18 @@ -- pgFormatter-ignore - +with global_recorders as ( + select + count(*) as global_config_recorders + from + aws_config_configuration_recorder + where + recording_group -> 'IncludeGlobalResourceTypes' = 'true' + ) select -- Required columns 'arn:aws::' || a.region || ':' || a.account_id as resource, case when - recording_group -> 'IncludeGlobalResourceTypes' = 'true' + g.global_config_recorders >= 1 and recording_group -> 'AllSupported' = 'true' and status ->> 'Recording' = 'true' and status ->> 'LastStatus' = 'SUCCESS' @@ -32,6 +39,7 @@ select a.region, a.account_id from + global_recorders as g, aws_region as a - left join aws_config_configuration_recorder as r + left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name; From 00c9744c426fa3ffd5b5dcde92c045e5ffca8b0d Mon Sep 17 00:00:00 2001 From: Khushboo <46913995+khushboo9024@users.noreply.github.com> Date: Fri, 26 Nov 2021 11:49:06 +0530 Subject: [PATCH 2/2] Update config_enabled_all_regions.sql --- query/config/config_enabled_all_regions.sql | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/query/config/config_enabled_all_regions.sql b/query/config/config_enabled_all_regions.sql index 55a1565c..6f9dd133 100644 --- a/query/config/config_enabled_all_regions.sql +++ b/query/config/config_enabled_all_regions.sql @@ -1,4 +1,5 @@ -- pgFormatter-ignore +-- Get count for any region with all matching criteria with global_recorders as ( select count(*) as global_config_recorders @@ -6,19 +7,25 @@ with global_recorders as ( aws_config_configuration_recorder where recording_group -> 'IncludeGlobalResourceTypes' = 'true' + and recording_group -> 'AllSupported' = 'true' + and status ->> 'Recording' = 'true' + and status ->> 'LastStatus' = 'SUCCESS' ) select -- Required columns 'arn:aws::' || a.region || ':' || a.account_id as resource, case + -- When any of the region satisfies with above CTE + -- In left join of table, regions now having + -- 'Recording' and 'LastStatus' matching criteria can be considered as OK when g.global_config_recorders >= 1 - and recording_group -> 'AllSupported' = 'true' and status ->> 'Recording' = 'true' and status ->> 'LastStatus' = 'SUCCESS' then 'ok' else 'alarm' end as status, + -- Below cases are for citing respective reasons for control state case when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' else a.region || ' IncludeGlobalResourceTypes disabled,'