Initial other-checks benchmark #431
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Khushboo <khushboo@turbot.com>
…mpliance into extra-checks-control
…mpliance into extra-checks-control
cbruno10
requested changes
Jul 5, 2022
There was a problem hiding this comment.
@rajlearner17 I know this PR is still in draft, but I took an initial look as I know we're releasing this week. Please see comments, if any are already changed, please disregard, thanks!
| @@ -0,0 +1,44 @@ | |||
| with all_lb_details as ( | |||
| select | |||
| arn, | |||
There was a problem hiding this comment.
@rajlearner17 Why is this query using tabs (along with others)?
other_checks/other.sp
Outdated
| } | ||
|
|
||
| benchmark "other" { | ||
| title = "Other" |
There was a problem hiding this comment.
Suggested change
| title = "Other" | |
| title = "Other Compliance Checks" |
| @@ -0,0 +1 @@ | |||
| We are adding additional checks to improve the information gathering around other AWS compliance best practices, these checks are out of the scope of any predefined benchmarks for AWS but we consider them very helpful. | |||
There was a problem hiding this comment.
I'm currently writing some additional content for this doc, I'll add it later today
misraved
reviewed
Jul 6, 2022
| with control_panel_audit_logging as ( | ||
| select | ||
| distinct arn, | ||
| log -> 'Types' as log_type |
There was a problem hiding this comment.
Suggested change
| log -> 'Types' as log_type | |
| log -> 'Types' as log_type |
misraved
reviewed
Jul 6, 2022
| jsonb_array_elements(logging -> 'ClusterLogging') as log | ||
| where | ||
| log ->> 'Enabled' = 'true' | ||
| and (log -> 'Types') @> '["api","audit", "authenticator", "controllerManager","scheduler"]' |
There was a problem hiding this comment.
Suggested change
| and (log -> 'Types') @> '["api","audit", "authenticator", "controllerManager","scheduler"]' | |
| and (log -> 'Types') @> '["api", "audit", "authenticator", "controllerManager", "scheduler"]' |
misraved
reviewed
Jul 6, 2022
| case | ||
| when l.security_groups is null then l.title || ' does not have security group attached.' | ||
| when s.num = 0 then l.title || ' does not have outbound rule.' | ||
| else l.title || ' have outbound rule(s).' |
There was a problem hiding this comment.
Can we add how many outbound rules are present?
misraved
reviewed
Jul 6, 2022
query/elb/elb_classic_lb_unused.sql
Outdated
| aws_ec2_classic_load_balancer as c, | ||
| jsonb_array_elements(instances) as e | ||
| left join aws_ec2_instance as i on i.instance_id = e ->> 'InstanceId' | ||
|
|
misraved
reviewed
Jul 6, 2022
| @@ -0,0 +1,20 @@ | |||
| select | |||
| -- Required Columns | |||
There was a problem hiding this comment.
Suggested change
| -- Required Columns | |
| -- Required Columns |
There was a problem hiding this comment.
@khushboo9024 Could we update the alignment of the queries to maintain consistency?
misraved
reviewed
Jul 6, 2022
| else 'alarm' | ||
| end as "status", | ||
| case | ||
| when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'enabled glue data catalog metadata encryption in ' || region |
There was a problem hiding this comment.
Suggested change
| when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'enabled glue data catalog metadata encryption in ' || region | |
| when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'glue data catalog metadata encryption is enabled in ' || region |
misraved
reviewed
Jul 6, 2022
| end as "status", | ||
| case | ||
| when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'enabled glue data catalog metadata encryption in ' || region | ||
| else 'disabled glue data catalog metadata encryption in ' || region |
There was a problem hiding this comment.
Suggested change
| else 'disabled glue data catalog metadata encryption in ' || region | |
| else 'glue data catalog metadata encryption is disabled in ' || region |
misraved
reviewed
Jul 6, 2022
| else 'alarm' | ||
| end as "status", | ||
| case | ||
| when connection_password_encryption is not null and connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' then 'enabled glue data catalog connection password encryption in ' || region |
There was a problem hiding this comment.
Please make changes as per the above suggestion
misraved
reviewed
Jul 6, 2022
| else 'alarm' | ||
| end as "status", | ||
| case | ||
| when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' s3 encryption enabled.' |
There was a problem hiding this comment.
Suggested change
| when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' s3 encryption enabled.' | |
| when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' S3 encryption enabled.' |
misraved
reviewed
Jul 6, 2022
| end as "status", | ||
| case | ||
| when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' s3 encryption enabled.' | ||
| else d.title || ' s3 encryption disabled.' |
There was a problem hiding this comment.
Suggested change
| else d.title || ' s3 encryption disabled.' | |
| else d.title || ' S3 encryption disabled.' |
misraved
reviewed
Jul 6, 2022
| else 'alarm' | ||
| end as status, | ||
| case | ||
| when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then j.title || ' enabled s3 encryption.' |
There was a problem hiding this comment.
Can we update the reason to follow a single pattern as mentioned in -
https://github.com/turbot/steampipe-mod-aws-compliance/pull/431/files#r914552035
misraved
reviewed
Jul 6, 2022
| else 'ok' | ||
| end as status, | ||
| case | ||
| when fu.user_id is not null then u.name || ' custom policies allows STS Role assumption.' |
There was a problem hiding this comment.
Suggested change
| when fu.user_id is not null then u.name || ' custom policies allows STS Role assumption.' | |
| when fu.user_id is not null then u.name || ' custom policies allow STS Role assumption.' |
misraved
reviewed
Jul 6, 2022
| end as status, | ||
| case | ||
| when au.user_id is null then u.name || ' does not have administrator access.' | ||
| when au.user_id is not null and u.mfa_enabled then u.name || ' have MFA token enabled.' |
There was a problem hiding this comment.
Suggested change
| when au.user_id is not null and u.mfa_enabled then u.name || ' have MFA token enabled.' | |
| when au.user_id is not null and u.mfa_enabled then u.name || ' has MFA token enabled.' |
…te other check overview page
cbruno10
approved these changes
Jul 6, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist