From 9f48db7c614560ebfb65602d2b7bd4df0453b643 Mon Sep 17 00:00:00 2001 From: Karan Popat Date: Fri, 17 Jun 2022 11:54:31 +0530 Subject: [PATCH 1/9] Add queries for extra checks --- ...il_lambda_operations_recording_enabled.sql | 42 ++++++++++++++++++ ..._trail_s3_object_level_logging_enabled.sql | 44 +++++++++++++++++++ .../sns/sns_topic_policy_public_disabled.sql | 32 ++++++++++++++ .../sqs/sqs_queue_policy_public_disabled.sql | 32 ++++++++++++++ 4 files changed, 150 insertions(+) create mode 100644 query/cloudtrail/cloudtrail_trail_lambda_operations_recording_enabled.sql create mode 100644 query/cloudtrail/cloudtrail_trail_s3_object_level_logging_enabled.sql create mode 100644 query/sns/sns_topic_policy_public_disabled.sql create mode 100644 query/sqs/sqs_queue_policy_public_disabled.sql diff --git a/query/cloudtrail/cloudtrail_trail_lambda_operations_recording_enabled.sql b/query/cloudtrail/cloudtrail_trail_lambda_operations_recording_enabled.sql new file mode 100644 index 00000000..01c5de35 --- /dev/null +++ b/query/cloudtrail/cloudtrail_trail_lambda_operations_recording_enabled.sql @@ -0,0 +1,42 @@ +with event_selectors_list as ( + select + akas, + title, + jsonb_pretty(e), + region, + account_id + from + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) e + where + e ->> 'DataResources' like '%AWS::Lambda::Function%' + union + select + akas, + title, + jsonb_pretty(a), + region, + account_id + from + aws_cloudtrail_trail, + jsonb_array_elements(advanced_event_selectors) a + where + a ->> 'FieldSelectors' like '%AWS::Lambda::Function%' +) +select + -- Required Columns + c.title as resource, + case + when e.akas is null then 'alarm' + else 'ok' + end as status, + case + when e.akas is null then c.title || ' disabled lambda function operations recording in ' || c.region + else c.title || ' enabled lambda function operations recording ' || c.region + end as reason, + -- Additional Dimensions + c.region, + c.account_id +from + aws_cloudtrail_trail c + left join event_selectors_list e on c.akas = e.akas and c.region = e.region and c.account_id = e.account_id; \ No newline at end of file diff --git a/query/cloudtrail/cloudtrail_trail_s3_object_level_logging_enabled.sql b/query/cloudtrail/cloudtrail_trail_s3_object_level_logging_enabled.sql new file mode 100644 index 00000000..83044860 --- /dev/null +++ b/query/cloudtrail/cloudtrail_trail_s3_object_level_logging_enabled.sql @@ -0,0 +1,44 @@ +with event_selectors_list as ( + select + akas, + title, + jsonb_pretty(e), + region, + account_id + from + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) e + where + e ->> 'DataResources' like '%AWS::S3::Object%' + union + select + akas, + title, + jsonb_pretty(a), + region, + account_id + from + aws_cloudtrail_trail, + jsonb_array_elements(advanced_event_selectors) a + where + a ->> 'FieldSelectors' like '%AWS::S3::Object%' +) +select + -- Required Columns + c.title as resource, + case + when e.akas is null + then 'alarm' + else 'ok' + end status, + case + when e.akas is null + then c.title || ' disabled object level logging in s3 bucket ' || c.region + else c.title || ' enabled object level logging in s3 bucket ' || c.region + end reason, + -- Additional Dimensions + c.region, + c.account_id +from + aws_cloudtrail_trail c left outer join event_selectors_list e +on c.akas = e.akas and c.region = e.region and c.account_id = e.account_id; \ No newline at end of file diff --git a/query/sns/sns_topic_policy_public_disabled.sql b/query/sns/sns_topic_policy_public_disabled.sql new file mode 100644 index 00000000..26c0aaa8 --- /dev/null +++ b/query/sns/sns_topic_policy_public_disabled.sql @@ -0,0 +1,32 @@ +with wildcard_action_policies as ( + select + topic_arn, + count(*) as statements_num + from + aws_sns_topic, + jsonb_array_elements(policy_std -> 'Statement') as s + where + s ->> 'Effect' = 'Allow' + and ( + ( s -> 'Principal' -> 'AWS') = '["*"]' + or s ->> 'Principal' = '*' + ) + group by + topic_arn +) +select + t.topic_arn as resource, + case + when p.topic_arn is null then 'ok' + else 'alarm' + end status, + case + when p.topic_arn is null then title || ' does not allow public access.' + else title || ' contains ' || coalesce(p.statements_num,0) || + ' statements that allows public access.' + end as reason, + t.region, + t.account_id +from + aws_sns_topic as t + left join wildcard_action_policies as p on p.topic_arn = t.topic_arn; \ No newline at end of file diff --git a/query/sqs/sqs_queue_policy_public_disabled.sql b/query/sqs/sqs_queue_policy_public_disabled.sql new file mode 100644 index 00000000..1a28697b --- /dev/null +++ b/query/sqs/sqs_queue_policy_public_disabled.sql @@ -0,0 +1,32 @@ +with wildcard_action_policies as ( + select + queue_arn, + count(*) as statements_num + from + aws_sqs_queue, + jsonb_array_elements(policy_std -> 'Statement') as s + where + s ->> 'Effect' = 'Allow' + and ( + ( s -> 'Principal' -> 'AWS') = '["*"]' + or s ->> 'Principal' = '*' + ) + group by + queue_arn +) +select + q.queue_arn as resource, + case + when p.queue_arn is null then 'ok' + else 'alarm' + end status, + case + when p.queue_arn is null then title || ' does not allow public access.' + else title || ' contains ' || coalesce(p.statements_num,0) || + ' statements that allows public access.' + end as reason, + q.region, + q.account_id +from + aws_sqs_queue as q + left join wildcard_action_policies as p on q.queue_arn = p.queue_arn; \ No newline at end of file From 874f3b8d74cdb0b473c4265dcf66d161634981ba Mon Sep 17 00:00:00 2001 From: Karan Popat Date: Tue, 21 Jun 2022 12:40:03 +0530 Subject: [PATCH 2/9] add extra check queries --- ..._cluster_control_plane_logging_enabled.sql | 16 +++++++++++++++ .../elb_listener_use_secure_ssl_cipher.sql | 20 +++++++++++++++++++ ...rityhub_standards_subscription_enabled.sql | 15 ++++++++++++++ 3 files changed, 51 insertions(+) create mode 100644 query/eks/eks_cluster_control_plane_logging_enabled.sql create mode 100644 query/elb/elb_listener_use_secure_ssl_cipher.sql create mode 100644 query/securityhub/securityhub_standards_subscription_enabled.sql diff --git a/query/eks/eks_cluster_control_plane_logging_enabled.sql b/query/eks/eks_cluster_control_plane_logging_enabled.sql new file mode 100644 index 00000000..06991086 --- /dev/null +++ b/query/eks/eks_cluster_control_plane_logging_enabled.sql @@ -0,0 +1,16 @@ +select + arn, + case + when log ->> 'Enabled' = 'true' then 'ok' + else 'alarm' + end as "status", + case + when log ->> 'Enabled' = 'true' then title || ' enabled logging for ' || (log ->> 'Types') + else title || ' disabled logging for ' || (log ->> 'Types') + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_eks_cluster, + jsonb_array_elements(logging -> 'ClusterLogging') as log; \ No newline at end of file diff --git a/query/elb/elb_listener_use_secure_ssl_cipher.sql b/query/elb/elb_listener_use_secure_ssl_cipher.sql new file mode 100644 index 00000000..63d6b7be --- /dev/null +++ b/query/elb/elb_listener_use_secure_ssl_cipher.sql @@ -0,0 +1,20 @@ +select + -- Required Columns + load_balancer_arn as resource, + case + when ssl_policy like any ( + ARRAY ['ELBSecurityPolicy-TLS-1-2-2017-01', 'ELBSecurityPolicy-TLS-1-1-2017-01'] + ) then 'ok' + else 'alarm' + end as status, + case + when ssl_policy like any ( + ARRAY ['ELBSecurityPolicy-TLS-1-2-2017-01', 'ELBSecurityPolicy-TLS-1-1-2017-01'] + ) then title || ' having secure ssl cipher' + else title || ' having insecure ssl cipher' + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_ec2_load_balancer_listener; \ No newline at end of file diff --git a/query/securityhub/securityhub_standards_subscription_enabled.sql b/query/securityhub/securityhub_standards_subscription_enabled.sql new file mode 100644 index 00000000..ff2421e3 --- /dev/null +++ b/query/securityhub/securityhub_standards_subscription_enabled.sql @@ -0,0 +1,15 @@ +select + standards_arn, + case + when standards_status = 'READY' then 'ok' + else 'alarm' + end as "status", + case + when standards_status = 'READY' then title || ' subscribed to standard ' || standards_subscription_arn + else title || ' not subscribed to any standard' + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_securityhub_standards_subscription; \ No newline at end of file From 52e8fcb064f4febf204baefd06a4a45d57c29943 Mon Sep 17 00:00:00 2001 From: Karan Popat Date: Mon, 27 Jun 2022 10:43:07 +0530 Subject: [PATCH 3/9] Add extra checks glue queries --- ...ion_settings_metadata_encryption_enabled.sql | 14 ++++++++++++++ ...ion_settings_password_encryption_enabled.sql | 14 ++++++++++++++ ...point_cloudwatch_logs_encryption_enabled.sql | 16 ++++++++++++++++ ...ndpoint_job_bookmarks_encryption_enabled.sql | 16 ++++++++++++++++ .../glue_dev_endpoint_s3_encryption_enabled.sql | 17 +++++++++++++++++ ...e_job_cloudwatch_logs_encryption_enabled.sql | 16 ++++++++++++++++ ...lue_job_job_bookmarks_encryption_enabled.sql | 16 ++++++++++++++++ query/glue/glue_job_s3_encryption_enabled.sql | 17 +++++++++++++++++ 8 files changed, 126 insertions(+) create mode 100644 query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql create mode 100644 query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql create mode 100644 query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql create mode 100644 query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql create mode 100644 query/glue/glue_dev_endpoint_s3_encryption_enabled.sql create mode 100644 query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql create mode 100644 query/glue/glue_job_job_bookmarks_encryption_enabled.sql create mode 100644 query/glue/glue_job_s3_encryption_enabled.sql diff --git a/query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql b/query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql new file mode 100644 index 00000000..b9543c4d --- /dev/null +++ b/query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql @@ -0,0 +1,14 @@ +select + case + when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'enabled glue data catalog metadata encryption in ' || region + else 'disabled glue data catalog metadata encryption in ' || region + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_glue_data_catalog_encryption_settings; \ No newline at end of file diff --git a/query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql b/query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql new file mode 100644 index 00000000..2b1e5c0b --- /dev/null +++ b/query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql @@ -0,0 +1,14 @@ +select + case + when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'ok' + else 'alarm' + end as "status", + case + when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'enabled glue data catalog connection password encryption in ' || region + else 'disabled glue data catalog connection password encryption in ' || region + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_glue_data_catalog_encryption_settings; \ No newline at end of file diff --git a/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql b/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql new file mode 100644 index 00000000..18840a98 --- /dev/null +++ b/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql @@ -0,0 +1,16 @@ +select + d.arn as resource, + case + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then d.title || ' enabled cloud watch logs encryption' + else d.title || ' disabled cloud watch logs encryption' + end as reason, + -- Additional Dimensions + d.region, + d.account_id +from + aws_glue_dev_endpoint d + left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql b/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql new file mode 100644 index 00000000..c78060d7 --- /dev/null +++ b/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql @@ -0,0 +1,16 @@ +select + d.arn as resource, + case + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then d.title || ' enabled job bookmarks encryption' + else d.title || ' disabled job bookmarks encryption' + end as reason, + -- Additional Dimensions + d.region, + d.account_id +from + aws_glue_dev_endpoint d + left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql b/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql new file mode 100644 index 00000000..71e17f76 --- /dev/null +++ b/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql @@ -0,0 +1,17 @@ +select + d.arn as resource, + case + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' enabled s3 encryption' + else d.title || ' disabled s3 encryption' + end as reason, + -- Additional Dimensions + d.region, + d.account_id +from + aws_glue_dev_endpoint d + left join aws_glue_security_configuration s on d.security_configuration = s.name, + jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file diff --git a/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql b/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql new file mode 100644 index 00000000..6ac9a975 --- /dev/null +++ b/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql @@ -0,0 +1,16 @@ +select + j.arn as resource, + case + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then j.title || ' enabled cloud watch logs encryption' + else j.title || ' disabled cloud watch logs encryption' + end as reason, + -- Additional Dimensions + j.region, + j.account_id +from + aws_glue_job j + left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_job_job_bookmarks_encryption_enabled.sql b/query/glue/glue_job_job_bookmarks_encryption_enabled.sql new file mode 100644 index 00000000..744d5de9 --- /dev/null +++ b/query/glue/glue_job_job_bookmarks_encryption_enabled.sql @@ -0,0 +1,16 @@ +select + j.arn as resource, + case + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then j.title || ' enabled job bookmarks encryption' + else j.title || ' disabled job bookmarks encryption' + end as reason, + -- Additional Dimensions + j.region, + j.account_id +from + aws_glue_job j + left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_job_s3_encryption_enabled.sql b/query/glue/glue_job_s3_encryption_enabled.sql new file mode 100644 index 00000000..3bf058e1 --- /dev/null +++ b/query/glue/glue_job_s3_encryption_enabled.sql @@ -0,0 +1,17 @@ +select + j.arn as resource, + case + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then j.title || ' enabled s3 encryption' + else j.title || ' disabled s3 encryption' + end as reason, + -- Additional Dimensions + j.region, + j.account_id +from + aws_glue_job j + left join aws_glue_security_configuration s on j.security_configuration = s.name, + jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file From 897acd2fabc9cb51c005213a31aceff2bf4242f2 Mon Sep 17 00:00:00 2001 From: Karan Popat Date: Mon, 27 Jun 2022 11:09:43 +0530 Subject: [PATCH 4/9] Remove duplicates --- ...il_lambda_operations_recording_enabled.sql | 42 ------------------ ..._trail_s3_object_level_logging_enabled.sql | 44 ------------------- .../sns/sns_topic_policy_public_disabled.sql | 32 -------------- .../sqs/sqs_queue_policy_public_disabled.sql | 32 -------------- 4 files changed, 150 deletions(-) delete mode 100644 query/cloudtrail/cloudtrail_trail_lambda_operations_recording_enabled.sql delete mode 100644 query/cloudtrail/cloudtrail_trail_s3_object_level_logging_enabled.sql delete mode 100644 query/sns/sns_topic_policy_public_disabled.sql delete mode 100644 query/sqs/sqs_queue_policy_public_disabled.sql diff --git a/query/cloudtrail/cloudtrail_trail_lambda_operations_recording_enabled.sql b/query/cloudtrail/cloudtrail_trail_lambda_operations_recording_enabled.sql deleted file mode 100644 index 01c5de35..00000000 --- a/query/cloudtrail/cloudtrail_trail_lambda_operations_recording_enabled.sql +++ /dev/null @@ -1,42 +0,0 @@ -with event_selectors_list as ( - select - akas, - title, - jsonb_pretty(e), - region, - account_id - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) e - where - e ->> 'DataResources' like '%AWS::Lambda::Function%' - union - select - akas, - title, - jsonb_pretty(a), - region, - account_id - from - aws_cloudtrail_trail, - jsonb_array_elements(advanced_event_selectors) a - where - a ->> 'FieldSelectors' like '%AWS::Lambda::Function%' -) -select - -- Required Columns - c.title as resource, - case - when e.akas is null then 'alarm' - else 'ok' - end as status, - case - when e.akas is null then c.title || ' disabled lambda function operations recording in ' || c.region - else c.title || ' enabled lambda function operations recording ' || c.region - end as reason, - -- Additional Dimensions - c.region, - c.account_id -from - aws_cloudtrail_trail c - left join event_selectors_list e on c.akas = e.akas and c.region = e.region and c.account_id = e.account_id; \ No newline at end of file diff --git a/query/cloudtrail/cloudtrail_trail_s3_object_level_logging_enabled.sql b/query/cloudtrail/cloudtrail_trail_s3_object_level_logging_enabled.sql deleted file mode 100644 index 83044860..00000000 --- a/query/cloudtrail/cloudtrail_trail_s3_object_level_logging_enabled.sql +++ /dev/null @@ -1,44 +0,0 @@ -with event_selectors_list as ( - select - akas, - title, - jsonb_pretty(e), - region, - account_id - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) e - where - e ->> 'DataResources' like '%AWS::S3::Object%' - union - select - akas, - title, - jsonb_pretty(a), - region, - account_id - from - aws_cloudtrail_trail, - jsonb_array_elements(advanced_event_selectors) a - where - a ->> 'FieldSelectors' like '%AWS::S3::Object%' -) -select - -- Required Columns - c.title as resource, - case - when e.akas is null - then 'alarm' - else 'ok' - end status, - case - when e.akas is null - then c.title || ' disabled object level logging in s3 bucket ' || c.region - else c.title || ' enabled object level logging in s3 bucket ' || c.region - end reason, - -- Additional Dimensions - c.region, - c.account_id -from - aws_cloudtrail_trail c left outer join event_selectors_list e -on c.akas = e.akas and c.region = e.region and c.account_id = e.account_id; \ No newline at end of file diff --git a/query/sns/sns_topic_policy_public_disabled.sql b/query/sns/sns_topic_policy_public_disabled.sql deleted file mode 100644 index 26c0aaa8..00000000 --- a/query/sns/sns_topic_policy_public_disabled.sql +++ /dev/null @@ -1,32 +0,0 @@ -with wildcard_action_policies as ( - select - topic_arn, - count(*) as statements_num - from - aws_sns_topic, - jsonb_array_elements(policy_std -> 'Statement') as s - where - s ->> 'Effect' = 'Allow' - and ( - ( s -> 'Principal' -> 'AWS') = '["*"]' - or s ->> 'Principal' = '*' - ) - group by - topic_arn -) -select - t.topic_arn as resource, - case - when p.topic_arn is null then 'ok' - else 'alarm' - end status, - case - when p.topic_arn is null then title || ' does not allow public access.' - else title || ' contains ' || coalesce(p.statements_num,0) || - ' statements that allows public access.' - end as reason, - t.region, - t.account_id -from - aws_sns_topic as t - left join wildcard_action_policies as p on p.topic_arn = t.topic_arn; \ No newline at end of file diff --git a/query/sqs/sqs_queue_policy_public_disabled.sql b/query/sqs/sqs_queue_policy_public_disabled.sql deleted file mode 100644 index 1a28697b..00000000 --- a/query/sqs/sqs_queue_policy_public_disabled.sql +++ /dev/null @@ -1,32 +0,0 @@ -with wildcard_action_policies as ( - select - queue_arn, - count(*) as statements_num - from - aws_sqs_queue, - jsonb_array_elements(policy_std -> 'Statement') as s - where - s ->> 'Effect' = 'Allow' - and ( - ( s -> 'Principal' -> 'AWS') = '["*"]' - or s ->> 'Principal' = '*' - ) - group by - queue_arn -) -select - q.queue_arn as resource, - case - when p.queue_arn is null then 'ok' - else 'alarm' - end status, - case - when p.queue_arn is null then title || ' does not allow public access.' - else title || ' contains ' || coalesce(p.statements_num,0) || - ' statements that allows public access.' - end as reason, - q.region, - q.account_id -from - aws_sqs_queue as q - left join wildcard_action_policies as p on q.queue_arn = p.queue_arn; \ No newline at end of file From db15e28f79c674958166f8fb1498c479d384fe3c Mon Sep 17 00:00:00 2001 From: Karan Popat Date: Mon, 27 Jun 2022 11:11:06 +0530 Subject: [PATCH 5/9] remove duplicates --- ...eks_cluster_control_plane_logging_enabled.sql | 16 ---------------- 1 file changed, 16 deletions(-) delete mode 100644 query/eks/eks_cluster_control_plane_logging_enabled.sql diff --git a/query/eks/eks_cluster_control_plane_logging_enabled.sql b/query/eks/eks_cluster_control_plane_logging_enabled.sql deleted file mode 100644 index 06991086..00000000 --- a/query/eks/eks_cluster_control_plane_logging_enabled.sql +++ /dev/null @@ -1,16 +0,0 @@ -select - arn, - case - when log ->> 'Enabled' = 'true' then 'ok' - else 'alarm' - end as "status", - case - when log ->> 'Enabled' = 'true' then title || ' enabled logging for ' || (log ->> 'Types') - else title || ' disabled logging for ' || (log ->> 'Types') - end as reason, - -- Additional Dimensions - region, - account_id -from - aws_eks_cluster, - jsonb_array_elements(logging -> 'ClusterLogging') as log; \ No newline at end of file From 3792551799e7dd0b925d76f3d5dd4f2b74fd9fe3 Mon Sep 17 00:00:00 2001 From: Karan Popat Date: Mon, 27 Jun 2022 11:17:12 +0530 Subject: [PATCH 6/9] correct indentation --- ...n_settings_metadata_encryption_enabled.sql | 15 ++++++++------- ...n_settings_password_encryption_enabled.sql | 15 ++++++++------- ...int_cloudwatch_logs_encryption_enabled.sql | 17 +++++++++-------- ...point_job_bookmarks_encryption_enabled.sql | 17 +++++++++-------- ...lue_dev_endpoint_s3_encryption_enabled.sql | 1 + ...job_cloudwatch_logs_encryption_enabled.sql | 17 +++++++++-------- ...e_job_job_bookmarks_encryption_enabled.sql | 17 +++++++++-------- query/glue/glue_job_s3_encryption_enabled.sql | 19 ++++++++++--------- 8 files changed, 63 insertions(+), 55 deletions(-) diff --git a/query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql b/query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql index b9543c4d..cfd32811 100644 --- a/query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql +++ b/query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql @@ -1,14 +1,15 @@ select + -- Required Columns case when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'ok' else 'alarm' end as "status", - case - when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'enabled glue data catalog metadata encryption in ' || region - else 'disabled glue data catalog metadata encryption in ' || region - end as reason, - -- Additional Dimensions - region, - account_id + case + when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'enabled glue data catalog metadata encryption in ' || region + else 'disabled glue data catalog metadata encryption in ' || region + end as reason, + -- Additional Dimensions + region, + account_id from aws_glue_data_catalog_encryption_settings; \ No newline at end of file diff --git a/query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql b/query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql index 2b1e5c0b..83008ca2 100644 --- a/query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql +++ b/query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql @@ -1,14 +1,15 @@ select + -- Required Columns case when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'ok' else 'alarm' end as "status", - case - when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'enabled glue data catalog connection password encryption in ' || region - else 'disabled glue data catalog connection password encryption in ' || region - end as reason, - -- Additional Dimensions - region, - account_id + case + when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'enabled glue data catalog connection password encryption in ' || region + else 'disabled glue data catalog connection password encryption in ' || region + end as reason, + -- Additional Dimensions + region, + account_id from aws_glue_data_catalog_encryption_settings; \ No newline at end of file diff --git a/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql b/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql index 18840a98..8ef073b2 100644 --- a/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql +++ b/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql @@ -1,16 +1,17 @@ select + -- Required Columns d.arn as resource, case when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' else 'alarm' end as "status", - case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then d.title || ' enabled cloud watch logs encryption' - else d.title || ' disabled cloud watch logs encryption' - end as reason, - -- Additional Dimensions - d.region, - d.account_id + case + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then d.title || ' enabled cloud watch logs encryption' + else d.title || ' disabled cloud watch logs encryption' + end as reason, + -- Additional Dimensions + d.region, + d.account_id from aws_glue_dev_endpoint d - left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file + left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql b/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql index c78060d7..e9b8715b 100644 --- a/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql +++ b/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql @@ -1,16 +1,17 @@ select + -- Required Columns d.arn as resource, case when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok' else 'alarm' end as "status", - case - when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then d.title || ' enabled job bookmarks encryption' - else d.title || ' disabled job bookmarks encryption' - end as reason, - -- Additional Dimensions - d.region, - d.account_id + case + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then d.title || ' enabled job bookmarks encryption' + else d.title || ' disabled job bookmarks encryption' + end as reason, + -- Additional Dimensions + d.region, + d.account_id from aws_glue_dev_endpoint d - left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file + left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql b/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql index 71e17f76..90970e42 100644 --- a/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql +++ b/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql @@ -1,4 +1,5 @@ select + -- Required Columns d.arn as resource, case when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' diff --git a/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql b/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql index 6ac9a975..20d43f07 100644 --- a/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql +++ b/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql @@ -1,16 +1,17 @@ select + -- Required Columns j.arn as resource, case when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' else 'alarm' end as "status", - case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then j.title || ' enabled cloud watch logs encryption' - else j.title || ' disabled cloud watch logs encryption' - end as reason, - -- Additional Dimensions - j.region, - j.account_id + case + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then j.title || ' enabled cloud watch logs encryption' + else j.title || ' disabled cloud watch logs encryption' + end as reason, + -- Additional Dimensions + j.region, + j.account_id from aws_glue_job j - left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file + left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_job_job_bookmarks_encryption_enabled.sql b/query/glue/glue_job_job_bookmarks_encryption_enabled.sql index 744d5de9..ea269d2b 100644 --- a/query/glue/glue_job_job_bookmarks_encryption_enabled.sql +++ b/query/glue/glue_job_job_bookmarks_encryption_enabled.sql @@ -1,16 +1,17 @@ select + -- Required Columns j.arn as resource, case when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok' else 'alarm' end as "status", - case - when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then j.title || ' enabled job bookmarks encryption' - else j.title || ' disabled job bookmarks encryption' - end as reason, - -- Additional Dimensions - j.region, - j.account_id + case + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then j.title || ' enabled job bookmarks encryption' + else j.title || ' disabled job bookmarks encryption' + end as reason, + -- Additional Dimensions + j.region, + j.account_id from aws_glue_job j - left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file + left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_job_s3_encryption_enabled.sql b/query/glue/glue_job_s3_encryption_enabled.sql index 3bf058e1..a50af916 100644 --- a/query/glue/glue_job_s3_encryption_enabled.sql +++ b/query/glue/glue_job_s3_encryption_enabled.sql @@ -1,17 +1,18 @@ select + -- Required Columns j.arn as resource, case when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' else 'alarm' end as "status", - case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then j.title || ' enabled s3 encryption' - else j.title || ' disabled s3 encryption' - end as reason, - -- Additional Dimensions - j.region, - j.account_id + case + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then j.title || ' enabled s3 encryption' + else j.title || ' disabled s3 encryption' + end as reason, + -- Additional Dimensions + j.region, + j.account_id from aws_glue_job j - left join aws_glue_security_configuration s on j.security_configuration = s.name, - jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file + left join aws_glue_security_configuration s on j.security_configuration = s.name, + jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file From 435e406b98dafd2db9711440c3cb6870b7058edc Mon Sep 17 00:00:00 2001 From: Karan Popat Date: Mon, 27 Jun 2022 11:18:14 +0530 Subject: [PATCH 7/9] Update glue_dev_endpoint_s3_encryption_enabled.sql --- ...lue_dev_endpoint_s3_encryption_enabled.sql | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql b/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql index 90970e42..1d6df20d 100644 --- a/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql +++ b/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql @@ -1,18 +1,18 @@ select - -- Required Columns + -- Required Columns d.arn as resource, case when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' else 'alarm' end as "status", - case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' enabled s3 encryption' - else d.title || ' disabled s3 encryption' - end as reason, - -- Additional Dimensions - d.region, - d.account_id + case + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' enabled s3 encryption' + else d.title || ' disabled s3 encryption' + end as reason, + -- Additional Dimensions + d.region, + d.account_id from aws_glue_dev_endpoint d - left join aws_glue_security_configuration s on d.security_configuration = s.name, - jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file + left join aws_glue_security_configuration s on d.security_configuration = s.name, + jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file From 2e8462b2f5e6fa55c35c43357a33bc71fb35d1a5 Mon Sep 17 00:00:00 2001 From: Karan Popat Date: Mon, 27 Jun 2022 11:31:00 +0530 Subject: [PATCH 8/9] convert indentation --- ...n_settings_metadata_encryption_enabled.sql | 26 +++++++-------- ...n_settings_password_encryption_enabled.sql | 26 +++++++-------- ...int_cloudwatch_logs_encryption_enabled.sql | 30 ++++++++--------- ...point_job_bookmarks_encryption_enabled.sql | 30 ++++++++--------- ...lue_dev_endpoint_s3_encryption_enabled.sql | 32 +++++++++---------- ...job_cloudwatch_logs_encryption_enabled.sql | 30 ++++++++--------- ...e_job_job_bookmarks_encryption_enabled.sql | 30 ++++++++--------- query/glue/glue_job_s3_encryption_enabled.sql | 32 +++++++++---------- 8 files changed, 118 insertions(+), 118 deletions(-) diff --git a/query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql b/query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql index cfd32811..a3af5819 100644 --- a/query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql +++ b/query/glue/glue_data_catalog_encryption_settings_metadata_encryption_enabled.sql @@ -1,15 +1,15 @@ select - -- Required Columns - case - when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as "status", - case - when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'enabled glue data catalog metadata encryption in ' || region - else 'disabled glue data catalog metadata encryption in ' || region - end as reason, - -- Additional Dimensions - region, - account_id + -- Required Columns + case + when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'enabled glue data catalog metadata encryption in ' || region + else 'disabled glue data catalog metadata encryption in ' || region + end as reason, + -- Additional Dimensions + region, + account_id from - aws_glue_data_catalog_encryption_settings; \ No newline at end of file + aws_glue_data_catalog_encryption_settings; \ No newline at end of file diff --git a/query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql b/query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql index 83008ca2..9640e17f 100644 --- a/query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql +++ b/query/glue/glue_data_catalog_encryption_settings_password_encryption_enabled.sql @@ -1,15 +1,15 @@ select - -- Required Columns - case - when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'ok' - else 'alarm' - end as "status", - case - when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'enabled glue data catalog connection password encryption in ' || region - else 'disabled glue data catalog connection password encryption in ' || region - end as reason, - -- Additional Dimensions - region, - account_id + -- Required Columns + case + when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'ok' + else 'alarm' + end as "status", + case + when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'enabled glue data catalog connection password encryption in ' || region + else 'disabled glue data catalog connection password encryption in ' || region + end as reason, + -- Additional Dimensions + region, + account_id from - aws_glue_data_catalog_encryption_settings; \ No newline at end of file + aws_glue_data_catalog_encryption_settings; \ No newline at end of file diff --git a/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql b/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql index 8ef073b2..fd1e5646 100644 --- a/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql +++ b/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql @@ -1,17 +1,17 @@ select - -- Required Columns - d.arn as resource, - case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as "status", - case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then d.title || ' enabled cloud watch logs encryption' - else d.title || ' disabled cloud watch logs encryption' - end as reason, - -- Additional Dimensions - d.region, - d.account_id + -- Required Columns + d.arn as resource, + case + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then d.title || ' enabled cloud watch logs encryption' + else d.title || ' disabled cloud watch logs encryption' + end as reason, + -- Additional Dimensions + d.region, + d.account_id from - aws_glue_dev_endpoint d - left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file + aws_glue_dev_endpoint d + left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql b/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql index e9b8715b..aa26defc 100644 --- a/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql +++ b/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql @@ -1,17 +1,17 @@ select - -- Required Columns - d.arn as resource, - case - when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as "status", - case - when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then d.title || ' enabled job bookmarks encryption' - else d.title || ' disabled job bookmarks encryption' - end as reason, - -- Additional Dimensions - d.region, - d.account_id + -- Required Columns + d.arn as resource, + case + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then d.title || ' enabled job bookmarks encryption' + else d.title || ' disabled job bookmarks encryption' + end as reason, + -- Additional Dimensions + d.region, + d.account_id from - aws_glue_dev_endpoint d - left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file + aws_glue_dev_endpoint d + left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql b/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql index 1d6df20d..42b30db7 100644 --- a/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql +++ b/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql @@ -1,18 +1,18 @@ select - -- Required Columns - d.arn as resource, - case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as "status", - case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' enabled s3 encryption' - else d.title || ' disabled s3 encryption' - end as reason, - -- Additional Dimensions - d.region, - d.account_id + -- Required Columns + d.arn as resource, + case + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' enabled s3 encryption' + else d.title || ' disabled s3 encryption' + end as reason, + -- Additional Dimensions + d.region, + d.account_id from - aws_glue_dev_endpoint d - left join aws_glue_security_configuration s on d.security_configuration = s.name, - jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file + aws_glue_dev_endpoint d + left join aws_glue_security_configuration s on d.security_configuration = s.name, + jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file diff --git a/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql b/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql index 20d43f07..089ccc50 100644 --- a/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql +++ b/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql @@ -1,17 +1,17 @@ select - -- Required Columns - j.arn as resource, - case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as "status", - case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then j.title || ' enabled cloud watch logs encryption' - else j.title || ' disabled cloud watch logs encryption' - end as reason, - -- Additional Dimensions - j.region, - j.account_id + -- Required Columns + j.arn as resource, + case + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then j.title || ' enabled cloud watch logs encryption' + else j.title || ' disabled cloud watch logs encryption' + end as reason, + -- Additional Dimensions + j.region, + j.account_id from - aws_glue_job j - left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file + aws_glue_job j + left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_job_job_bookmarks_encryption_enabled.sql b/query/glue/glue_job_job_bookmarks_encryption_enabled.sql index ea269d2b..7841100b 100644 --- a/query/glue/glue_job_job_bookmarks_encryption_enabled.sql +++ b/query/glue/glue_job_job_bookmarks_encryption_enabled.sql @@ -1,17 +1,17 @@ select - -- Required Columns - j.arn as resource, - case - when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as "status", - case - when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then j.title || ' enabled job bookmarks encryption' - else j.title || ' disabled job bookmarks encryption' - end as reason, - -- Additional Dimensions - j.region, - j.account_id + -- Required Columns + j.arn as resource, + case + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then j.title || ' enabled job bookmarks encryption' + else j.title || ' disabled job bookmarks encryption' + end as reason, + -- Additional Dimensions + j.region, + j.account_id from - aws_glue_job j - left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file + aws_glue_job j + left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file diff --git a/query/glue/glue_job_s3_encryption_enabled.sql b/query/glue/glue_job_s3_encryption_enabled.sql index a50af916..026c5b47 100644 --- a/query/glue/glue_job_s3_encryption_enabled.sql +++ b/query/glue/glue_job_s3_encryption_enabled.sql @@ -1,18 +1,18 @@ select - -- Required Columns - j.arn as resource, - case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as "status", - case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then j.title || ' enabled s3 encryption' - else j.title || ' disabled s3 encryption' - end as reason, - -- Additional Dimensions - j.region, - j.account_id + -- Required Columns + j.arn as resource, + case + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' + else 'alarm' + end as "status", + case + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then j.title || ' enabled s3 encryption' + else j.title || ' disabled s3 encryption' + end as reason, + -- Additional Dimensions + j.region, + j.account_id from - aws_glue_job j - left join aws_glue_security_configuration s on j.security_configuration = s.name, - jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file + aws_glue_job j + left join aws_glue_security_configuration s on j.security_configuration = s.name, + jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file From 0fdc56e35f9eb356240b4e92ea0f5db770511b64 Mon Sep 17 00:00:00 2001 From: Khushboo Date: Mon, 27 Jun 2022 15:40:50 +0530 Subject: [PATCH 9/9] update --- ...dpoint_cloudwatch_logs_encryption_enabled.sql | 16 ++++++++-------- ...endpoint_job_bookmarks_encryption_enabled.sql | 14 +++++++------- .../glue_dev_endpoint_s3_encryption_enabled.sql | 6 +++--- ...ue_job_cloudwatch_logs_encryption_enabled.sql | 10 +++++----- ...glue_job_job_bookmarks_encryption_enabled.sql | 10 +++++----- query/glue/glue_job_s3_encryption_enabled.sql | 10 +++++----- 6 files changed, 33 insertions(+), 33 deletions(-) diff --git a/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql b/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql index fd1e5646..3db5e63c 100644 --- a/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql +++ b/query/glue/glue_dev_endpoint_cloudwatch_logs_encryption_enabled.sql @@ -1,17 +1,17 @@ select -- Required Columns - d.arn as resource, + e.arn as resource, case when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' else 'alarm' - end as "status", + end as status, case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then d.title || ' enabled cloud watch logs encryption' - else d.title || ' disabled cloud watch logs encryption' + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then e.title || ' CloudWatch logs encryption enabled.' + else e.title || ' CloudWatch logs encryption disabled.' end as reason, -- Additional Dimensions - d.region, - d.account_id + e.region, + e.account_id from - aws_glue_dev_endpoint d - left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file + aws_glue_dev_endpoint as e + left join aws_glue_security_configuration as c on e.security_configuration = c.name; \ No newline at end of file diff --git a/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql b/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql index aa26defc..7fd83cf6 100644 --- a/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql +++ b/query/glue/glue_dev_endpoint_job_bookmarks_encryption_enabled.sql @@ -1,17 +1,17 @@ select -- Required Columns - d.arn as resource, + e.arn as resource, case when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok' else 'alarm' end as "status", case - when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then d.title || ' enabled job bookmarks encryption' - else d.title || ' disabled job bookmarks encryption' + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then e.title || ' job bookmarks encryption enabled.' + else e.title || ' job bookmarks encryption disabled.' end as reason, -- Additional Dimensions - d.region, - d.account_id + e.region, + e.account_id from - aws_glue_dev_endpoint d - left join aws_glue_security_configuration s on d.security_configuration = s.name; \ No newline at end of file + aws_glue_dev_endpoint as e + left join aws_glue_security_configuration as c on e.security_configuration = c.name; \ No newline at end of file diff --git a/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql b/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql index 42b30db7..9957397e 100644 --- a/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql +++ b/query/glue/glue_dev_endpoint_s3_encryption_enabled.sql @@ -6,13 +6,13 @@ select else 'alarm' end as "status", case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' enabled s3 encryption' - else d.title || ' disabled s3 encryption' + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' s3 encryption enabled.' + else d.title || ' s3 encryption disabled.' end as reason, -- Additional Dimensions d.region, d.account_id from - aws_glue_dev_endpoint d + aws_glue_dev_endpoint as d left join aws_glue_security_configuration s on d.security_configuration = s.name, jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file diff --git a/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql b/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql index 089ccc50..4e2b3f44 100644 --- a/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql +++ b/query/glue/glue_job_cloudwatch_logs_encryption_enabled.sql @@ -4,14 +4,14 @@ select case when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' else 'alarm' - end as "status", + end as status, case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then j.title || ' enabled cloud watch logs encryption' - else j.title || ' disabled cloud watch logs encryption' + when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then j.title || ' CloudWatch logs encryption enabled.' + else j.title || ' CloudWatch logs encryption disabled.' end as reason, -- Additional Dimensions j.region, j.account_id from - aws_glue_job j - left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file + aws_glue_job as j + left join aws_glue_security_configuration as c on j.security_configuration = c.name; \ No newline at end of file diff --git a/query/glue/glue_job_job_bookmarks_encryption_enabled.sql b/query/glue/glue_job_job_bookmarks_encryption_enabled.sql index 7841100b..8c1750f2 100644 --- a/query/glue/glue_job_job_bookmarks_encryption_enabled.sql +++ b/query/glue/glue_job_job_bookmarks_encryption_enabled.sql @@ -4,14 +4,14 @@ select case when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok' else 'alarm' - end as "status", + end as status, case - when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then j.title || ' enabled job bookmarks encryption' - else j.title || ' disabled job bookmarks encryption' + when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then j.title || ' job bookmarks encryption enabled.' + else j.title || ' job bookmarks encryption disabled.' end as reason, -- Additional Dimensions j.region, j.account_id from - aws_glue_job j - left join aws_glue_security_configuration s on j.security_configuration = s.name; \ No newline at end of file + aws_glue_job as j + left join aws_glue_security_configuration as c on j.security_configuration = c.name; \ No newline at end of file diff --git a/query/glue/glue_job_s3_encryption_enabled.sql b/query/glue/glue_job_s3_encryption_enabled.sql index 026c5b47..e8fd7e06 100644 --- a/query/glue/glue_job_s3_encryption_enabled.sql +++ b/query/glue/glue_job_s3_encryption_enabled.sql @@ -4,15 +4,15 @@ select case when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' else 'alarm' - end as "status", + end as status, case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then j.title || ' enabled s3 encryption' - else j.title || ' disabled s3 encryption' + when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then j.title || ' enabled s3 encryption.' + else j.title || ' disabled s3 encryption.' end as reason, -- Additional Dimensions j.region, j.account_id from - aws_glue_job j - left join aws_glue_security_configuration s on j.security_configuration = s.name, + aws_glue_job as j + left join aws_glue_security_configuration as s on j.security_configuration = s.name, jsonb_array_elements(s.s3_encryption) e; \ No newline at end of file