From f4f188bfd1e44fe8954ce72d820b24884711cdfd Mon Sep 17 00:00:00 2001 From: Yoriyasu Yano <430092+yorinasub17@users.noreply.github.com> Date: Tue, 5 Jul 2022 18:56:21 -0500 Subject: [PATCH 1/4] Filter out opted out regions in config check --- query/config/config_enabled_all_regions.sql | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/query/config/config_enabled_all_regions.sql b/query/config/config_enabled_all_regions.sql index 6f9dd133..d44d67c6 100644 --- a/query/config/config_enabled_all_regions.sql +++ b/query/config/config_enabled_all_regions.sql @@ -49,4 +49,6 @@ from global_recorders as g, aws_region as a left join aws_config_configuration_recorder as r - on r.account_id = a.account_id and r.region = a.name; + on r.account_id = a.account_id and r.region = a.name +where + a.opt_in_status != 'not-opted-in'; From 547faadc17c16075c93f2753971eb20ccfaa2859 Mon Sep 17 00:00:00 2001 From: Yoriyasu Yano <430092+yorinasub17@users.noreply.github.com> Date: Wed, 6 Jul 2022 07:51:10 -0500 Subject: [PATCH 2/4] Mark disabled regions as skip and cite reason --- query/config/config_enabled_all_regions.sql | 38 ++++++++++++--------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/query/config/config_enabled_all_regions.sql b/query/config/config_enabled_all_regions.sql index d44d67c6..2e176ac1 100644 --- a/query/config/config_enabled_all_regions.sql +++ b/query/config/config_enabled_all_regions.sql @@ -23,24 +23,30 @@ select and status ->> 'Recording' = 'true' and status ->> 'LastStatus' = 'SUCCESS' then 'ok' + -- Skip any regions that are disabled in the account. + when a.opt_in_status = 'not-opted-in' then 'skip' else 'alarm' end as status, -- Below cases are for citing respective reasons for control state case - when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' - else a.region || ' IncludeGlobalResourceTypes disabled,' - end || - case - when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,' - else ' AllSupported disabled,' - end || - case - when status ->> 'Recording' = 'true' then ' Recording enabled' - else ' Recording disabled' - end || - case - when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.' - else ' and LastStatus is not SUCCESS.' + when a.opt_in_status = 'not-opted-in' then 'Region is opted out.' + else + case + when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' + else a.region || ' IncludeGlobalResourceTypes disabled,' + end || + case + when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,' + else ' AllSupported disabled,' + end || + case + when status ->> 'Recording' = 'true' then ' Recording enabled' + else ' Recording disabled' + end || + case + when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.' + else ' and LastStatus is not SUCCESS.' + end end as reason, -- Additional columns a.region, @@ -49,6 +55,4 @@ from global_recorders as g, aws_region as a left join aws_config_configuration_recorder as r - on r.account_id = a.account_id and r.region = a.name -where - a.opt_in_status != 'not-opted-in'; + on r.account_id = a.account_id and r.region = a.name; From cba6da41eb61b34d279be2da38478d821c175a24 Mon Sep 17 00:00:00 2001 From: Yoriyasu Yano <430092+yorinasub17@users.noreply.github.com> Date: Wed, 6 Jul 2022 08:55:07 -0500 Subject: [PATCH 3/4] Update query/config/config_enabled_all_regions.sql Co-authored-by: cbruno10 --- query/config/config_enabled_all_regions.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/query/config/config_enabled_all_regions.sql b/query/config/config_enabled_all_regions.sql index 2e176ac1..de381587 100644 --- a/query/config/config_enabled_all_regions.sql +++ b/query/config/config_enabled_all_regions.sql @@ -29,7 +29,7 @@ select end as status, -- Below cases are for citing respective reasons for control state case - when a.opt_in_status = 'not-opted-in' then 'Region is opted out.' + when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.' else case when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' From ee9dcfd815c86b191222c786f3c626d2cb0d99f6 Mon Sep 17 00:00:00 2001 From: Yoriyasu Yano <430092+yorinasub17@users.noreply.github.com> Date: Wed, 6 Jul 2022 08:56:12 -0500 Subject: [PATCH 4/4] Remove extra space --- query/config/config_enabled_all_regions.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/query/config/config_enabled_all_regions.sql b/query/config/config_enabled_all_regions.sql index de381587..4cbecacc 100644 --- a/query/config/config_enabled_all_regions.sql +++ b/query/config/config_enabled_all_regions.sql @@ -29,7 +29,7 @@ select end as status, -- Below cases are for citing respective reasons for control state case - when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.' + when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.' else case when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'