Filter out opted out regions in config check #437
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks @yorinasub17 for using Steampipe 👍 . Great to see your contribution here 👍. You are absolutely right about the control reporting an error state, however, instead of filtering out the regions which have not been opted in, could we skip them in state and add a reason for opted-out regions? You could refer https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/query/securityhub/securityhub_enabled.sql for more information. |
Sounds good! Updated in 547faad and checked that it works as intended (account ID masked): |
cbruno10
requested changes
Jul 6, 2022
| case | ||
| when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.' | ||
| else ' and LastStatus is not SUCCESS.' | ||
| when a.opt_in_status = 'not-opted-in' then 'Region is opted out.' |
There was a problem hiding this comment.
Suggested change
| when a.opt_in_status = 'not-opted-in' then 'Region is opted out.' | |
| when a.opt_in_status = 'not-opted-in' then a.region || ' disabled.' |
For instance: ap-southeast-3 disabled.
I think we should include the region name in the reason to keep all of the reasons consistent. I also wonder if we should use the term disabled instead of opted out? The column/property uses the terms opt-in and opt out, but in all AWS documentation, they use enabled and disabled, e.g.,
- https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws-enable-disable-regions.html
- https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html
@yorinasub17 Do you think the term disabled vs. opt out be confusing, or would it convey the same message?
There was a problem hiding this comment.
Or if this is more clear:
Suggested change
| when a.opt_in_status = 'not-opted-in' then 'Region is opted out.' | |
| when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.' |
For instance: ap-southeast-3 region is disabled.
There was a problem hiding this comment.
I think we should include the region name in the reason to keep all of the reasons consistent.
Sounds good to me.
I also wonder if we should use the term disabled instead of opted out?
That's a good question! I actually used disabled originally, and switched to opted out to be consistent with the parameter, but you are right that most of the AWS documentation and UI use the enable/disable terminology, so probably does make sense to be consistent there.
I accepted the second suggestion!
Here is what the output looks like now:
%~> aws-vault exec logs -- steampipe check control.cis_v140_3_5 --workspace-chdir .
+ 3.5 Ensure AWS Config is enabled in all regions ........................................................................................ 1 / 22 [==========]
|
ALARM: ap-northeast-3 IncludeGlobalResourceTypes disabled, AllSupported disabled, Recording disabled and LastStatus is not SUCC… ap-northeast-3 000000000000
OK : us-west-1 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. ............ us-west-1 000000000000
OK : ap-southeast-2 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. .. ap-southeast-2 000000000000
OK : eu-west-1 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. ............ eu-west-1 000000000000
OK : ap-southeast-1 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. .. ap-southeast-1 000000000000
OK : us-east-1 IncludeGlobalResourceTypes enabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. ............. us-east-1 000000000000
OK : us-east-2 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. ............ us-east-2 000000000000
OK : eu-north-1 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. .......... eu-north-1 000000000000
OK : us-west-2 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. ............ us-west-2 000000000000
OK : ca-central-1 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. ...... ca-central-1 000000000000
OK : eu-west-3 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. ............ eu-west-3 000000000000
OK : eu-central-1 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. ...... eu-central-1 000000000000
OK : ap-northeast-2 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. .. ap-northeast-2 000000000000
OK : sa-east-1 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. ............ sa-east-1 000000000000
OK : ap-northeast-1 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. .. ap-northeast-1 000000000000
OK : eu-west-2 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. ............ eu-west-2 000000000000
OK : ap-south-1 IncludeGlobalResourceTypes disabled, AllSupported enabled, Recording enabled and LastStatus is SUCCESS. .......... ap-south-1 000000000000
SKIP : ap-southeast-3 region is disabled. ...................................................................................... ap-southeast-3 000000000000
SKIP : eu-south-1 region is disabled. .............................................................................................. eu-south-1 000000000000
SKIP : ap-east-1 region is disabled. ................................................................................................ ap-east-1 000000000000
SKIP : me-south-1 region is disabled. .............................................................................................. me-south-1 000000000000
SKIP : af-south-1 region is disabled. .............................................................................................. af-south-1 000000000000
Summary
OK ........................................................................................................................................... 16 [======== ]
SKIP .......................................................................................................................................... 5 [=== ]
INFO .......................................................................................................................................... 0 [ ]
ALARM ......................................................................................................................................... 1 [= ]
ERROR ......................................................................................................................................... 0 [ ]
TOTAL .................................................................................................................................... 1 / 22 [==========]
Co-authored-by: cbruno10 <cody@turbot.com>
misraved
approved these changes
Jul 7, 2022
cbruno10
approved these changes
Jul 7, 2022
|
@yorinasub17 Thanks again for the PR! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the "AWS Config Enabled in all regions" query to filter out regions that are opted out. Opted out regions can not be accessed in any way so missing config resources in those regions should not be reported as an error.