Updates needed to fully support the CIS AWS Foundations Benchmark v2.0.0#981
Draft
aaronlippold wants to merge 93 commits intoinspec:mainfrom
Draft
Updates needed to fully support the CIS AWS Foundations Benchmark v2.0.0#981aaronlippold wants to merge 93 commits intoinspec:mainfrom
aaronlippold wants to merge 93 commits intoinspec:mainfrom
Conversation
Signed-off-by: Aaron Lippold <lippold@gmail.com>
✅ Deploy Preview for inspec-aws canceled.
|
aaronlippold
changed the title
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Fixed error collection in constructor to not incorrectly fail * Updated warning message to not add extra '.' in outputs Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
- added documenation for all four resources - added an alias for `configured?` to point to `exist?` Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
aaronlippold
changed the title
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added the aws-alternate-contact resource * updated and standardized coding for security, billing and operations resources * added documentation for the aws-alternate-contact resource Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Need to add region as a optional pram to the constructor Signed-off-by: Aaron Lippold <lippold@gmail.com>
- added aws_iam_access_analyzers plural resource - updated aws_regions and aws_region to expose opt_in data - update aws_regions(s) docs Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
- removed unneeded aws_region update of clint args - made feedback on allowed account types more direct - failed fast on param errors Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
…y easier test writing Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: wdower <will@dower.dev>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Will Dower <wdow95@hotmail.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
… updated monitored? method to work better with lists of buckets Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
…vent selectors Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
…ically does it for us anywhay Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <57142072+wdower@users.noreply.github.com>
Signed-off-by: wdower <will@dower.dev>
Author
|
This needs to be cleaned up and documented so we can make a PR to chef to get it off our plate |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
General updates, fixes and new resources to the resource pack to support the cis-aws-foundations-v2 benchmark.
Add a resource for the aws-iam-credential-report endpoint
Add a resources for the aws-accounts-endpoint (primary, billing, security and operations)
Add Resource For AWS Macie2 (Related Updated Deps for All Gems train-aws#519)
train-aws(Related Updated Deps for All Gems train-aws#519)Updates to
aws_s3_bucketprevent_public_access_by_account?using current aws-sdk-s3control v 1.77 working gem (Related Updated Deps for All Gems train-aws#519)prevent_public_accessprevent_public_accessaspreventing_public_access_via_bucketfor readability.prevent_public_access_by_accountaspreventing_public_access_by_accountfor readability.catch_aws_errorsto API call given we are handling the exceptions in the matcher.Correct errors in the iam_policy documentation
Fix docs/example for IAM Users (it's currently the one from IAM User)
Fix the resource_id and to_s functions for cloud watch log metric filter so that it handles the case when there are no metric filters
Fix iam_access_keys
Current Resource Pack Errors
Likely mishandled exceptions missing from
aws_backendand orcatch_aws_errors[2023-11-14T11:23:01-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User emailoctopus cannot be found.. You should address this error to ensure your controls are behaving as expected.
[2023-11-14T11:23:02-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User inspec_aws cannot be found.. You should address this error to ensure your controls are behaving as expected.
[2023-11-14T11:23:02-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_users. Error message: Login Profile for User ses-smtp-user.20191012-150745 cannot be found.. You should address this error to ensure your controls are behaving as expected.
[2023-11-14T11:23:29-05:00] WARN: AWS IAM Credential Report still being generated - attempt 1/5.
[2023-11-14T11:25:12-05:00] WARN: No contact of the inputted alternate contact type found.
[2023-11-14T11:25:12-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_password_policy. Error message: The Password Policy with domain name 916481805664 cannot be found.. You should address this error to ensure your controls are behaving as expected.
[2023-11-14T11:25:12-05:00] WARN: AWS Service Error encountered running a control with Resource aws_iam_password_policy. Error message: The Password Policy with domain name 916481805664 cannot be found.. You should address this error to ensure your controls are behaving as expected.