From 3f588058d37c1eda960af2d204122cc962ebd419 Mon Sep 17 00:00:00 2001 From: rajmohanty17 Date: Fri, 14 Apr 2023 13:23:57 +0530 Subject: [PATCH 1/3] Lambda functions should operate in more than one availability zone false positives. Fixes #609 --- conformance_pack/lambda.sp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conformance_pack/lambda.sp b/conformance_pack/lambda.sp index 3aa76489..d5a83080 100644 --- a/conformance_pack/lambda.sp +++ b/conformance_pack/lambda.sp @@ -129,7 +129,6 @@ query "lambda_function_dead_letter_queue_configured" { query "lambda_function_in_vpc" { sql = <<-EOQ select - arn as resource, case when vpc_id is null then 'alarm' @@ -139,7 +138,6 @@ query "lambda_function_in_vpc" { when vpc_id is null then title || ' is not in VPC.' else title || ' is in VPC ' || vpc_id || '.' end reason - ${local.tag_dimensions_sql} ${local.common_dimensions_sql} from @@ -321,6 +319,7 @@ query "lambda_function_multiple_az_configured" { arn as resource, case when vpc_id is null then 'skip' + when vpc_id = '' then 'skip' else case when ( @@ -337,6 +336,7 @@ query "lambda_function_multiple_az_configured" { end as status, case when vpc_id is null then title || ' is not in VPC.' + when vpc_id = '' then title || ' is not in VPC.' else title || ' has ' || jsonb_array_length(vpc_subnet_ids) || ' availability zone(s).' end as reason ${local.tag_dimensions_sql} From 01a00e72bfb65884cdc2490b7c611f2bb83fee8d Mon Sep 17 00:00:00 2001 From: rajmohanty17 Date: Fri, 14 Apr 2023 13:42:26 +0530 Subject: [PATCH 2/3] Tidy up format --- conformance_pack/lambda.sp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/conformance_pack/lambda.sp b/conformance_pack/lambda.sp index d5a83080..eede98fe 100644 --- a/conformance_pack/lambda.sp +++ b/conformance_pack/lambda.sp @@ -252,13 +252,13 @@ query "lambda_function_cloudtrail_logging_enabled" { case when (l.arn = c.lambda_arn) or (r.lambda_arn = 'arn:aws:lambda' and r.cloudtrail_region = l.region ) - or a.cloudtrail_region = l.region then 'ok' + or a.cloudtrail_region = l.region then 'ok' else 'alarm' end as status, case when (l.arn = c.lambda_arn) or (r.lambda_arn = 'arn:aws:s3' and r.cloudtrail_region = l.region ) - or a.cloudtrail_region = l.region then l.name || ' logging enabled.' + or a.cloudtrail_region = l.region then l.name || ' logging enabled.' else l.name || ' logging not enabled.' end as reason ${local.tag_dimensions_sql} @@ -319,7 +319,7 @@ query "lambda_function_multiple_az_configured" { arn as resource, case when vpc_id is null then 'skip' - when vpc_id = '' then 'skip' + when vpc_id = '' then 'skip' else case when ( From 52aad90e3a154dffed967055965c30c834dcef02 Mon Sep 17 00:00:00 2001 From: rajmohanty17 Date: Fri, 14 Apr 2023 13:52:18 +0530 Subject: [PATCH 3/3] Optimize the similar case in lambda_function_in_vpc --- conformance_pack/lambda.sp | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/conformance_pack/lambda.sp b/conformance_pack/lambda.sp index eede98fe..1a0a504c 100644 --- a/conformance_pack/lambda.sp +++ b/conformance_pack/lambda.sp @@ -131,11 +131,11 @@ query "lambda_function_in_vpc" { select arn as resource, case - when vpc_id is null then 'alarm' + when vpc_id is null or vpc_id = '' then 'alarm' else 'ok' end status, case - when vpc_id is null then title || ' is not in VPC.' + when vpc_id is null or vpc_id = '' then title || ' is not in VPC.' else title || ' is in VPC ' || vpc_id || '.' end reason ${local.tag_dimensions_sql} @@ -318,8 +318,7 @@ query "lambda_function_multiple_az_configured" { select arn as resource, case - when vpc_id is null then 'skip' - when vpc_id = '' then 'skip' + when vpc_id is null or vpc_id = '' then 'skip' else case when ( @@ -335,8 +334,7 @@ query "lambda_function_multiple_az_configured" { end end as status, case - when vpc_id is null then title || ' is not in VPC.' - when vpc_id = '' then title || ' is not in VPC.' + when vpc_id is null or vpc_id = '' then title || ' is not in VPC.' else title || ' has ' || jsonb_array_length(vpc_subnet_ids) || ' availability zone(s).' end as reason ${local.tag_dimensions_sql}