Draft for checking listener ssl policy on ALB #100
Conversation
python/alb_ssl_policy.py
Outdated
| listeners = alb_client.describe_listeners( LoadBalancerArns = [alb_arn,], ) | ||
|
|
||
| for l in listeners['Listeners']: | ||
| if ( 'SslPolicy' in l.keys()): |
There was a problem hiding this comment.
external parenthesis can be removed
python/alb_ssl_policy.py
Outdated
| alb_arn = configuration_item['arn'] | ||
| alb_client = get_client('elbv2',event); | ||
|
|
||
| listeners = alb_client.describe_listeners( LoadBalancerArns = [alb_arn,], ) |
python/alb_ssl_policy.py
Outdated
| ############################### | ||
|
|
||
| alb_arn = configuration_item['arn'] | ||
| alb_client = get_client('elbv2',event); |
There was a problem hiding this comment.
space between comma and variable
There was a problem hiding this comment.
removed comma and add space between comma and variable.
python/alb_ssl_policy.py
Outdated
|
|
||
| for l in listeners['Listeners']: | ||
| if ( 'SslPolicy' in l.keys()): | ||
| if(l['SslPolicy'] not in COMPLIANT_POLICY): |
There was a problem hiding this comment.
should be
if l['SslPolicy'] not in validated_rule_parameters['ValidPolicies']:
python/alb_ssl_policy.py
Outdated
| Feature: | ||
| In order to: apply ssl policy to listers | ||
| As: a Security Officer | ||
| I want: to chaging configuration of applicatio loac balancer. |
There was a problem hiding this comment.
several typo in this sections
python/alb_ssl_policy.py
Outdated
| Then: Return COMPLIANT | ||
| Scenario 2: | ||
| Given: SslPolicy is not in COMPLIANT_POLICY | ||
| THEN: RETURN NON_COMPLIANT |
python/alb_ssl_policy.py
Outdated
| As: a Security Officer | ||
| I want: to chaging configuration of applicatio loac balancer. | ||
| Scenarios: | ||
| Scenario 1: |
There was a problem hiding this comment.
Add a scenario if no CompliantPolicies
python/alb_ssl_policy.py
Outdated
|
|
||
| listeners = alb_client.describe_listeners( LoadBalancerArns = [alb_arn,], ) | ||
|
|
||
| for l in listeners['Listeners']: |
python/alb_ssl_policy.py
Outdated
| Then: Return NON_COMPLIANT | ||
| Scenario 3: | ||
| Given: CompliantPolicies has not been defined. | ||
| Then: Return NOT_APPLICABLE |
There was a problem hiding this comment.
No, this should be COMPLIANT is only you have SSL enabled.
python/alb_ssl_policy.py
Outdated
| Given: CompliantPolicies has not been defined. | ||
| Then: Return NOT_APPLICABLE | ||
| Scenario 4: | ||
| Given: Listner has not been used in a application load balancer. |
python/alb_ssl_policy.py
Outdated
| @@ -48,6 +55,8 @@ | |||
| DEFAULT_RESOURCE_TYPE = ['AWS::LoadBalancingV2::LoadBalancer'] | |||
| # Pre defined policy name | |||
| COMPLIANT_POLICY = ['ELBSecurityPolicy-2016-08','ELBSecurityPolicy-FS-2018-06'] | |||
| # for Assume Role parametor | |||
| ASSUME_ROLE_MODE = '' | |||
python/alb_ssl_policy.py
Outdated
| @@ -48,6 +55,8 @@ | |||
| DEFAULT_RESOURCE_TYPE = ['AWS::LoadBalancingV2::LoadBalancer'] | |||
| # Pre defined policy name | |||
| COMPLIANT_POLICY = ['ELBSecurityPolicy-2016-08','ELBSecurityPolicy-FS-2018-06'] | |||
| # for Assume Role parametor | |||
python/alb_ssl_policy.py
Outdated
| @@ -48,6 +55,8 @@ | |||
| DEFAULT_RESOURCE_TYPE = ['AWS::LoadBalancingV2::LoadBalancer'] | |||
| # Pre defined policy name | |||
| COMPLIANT_POLICY = ['ELBSecurityPolicy-2016-08','ELBSecurityPolicy-FS-2018-06'] | |||
python/alb_ssl_policy.py
Outdated
| @@ -78,14 +87,20 @@ def evaluate_compliance(event, configuration_item, valid_rule_parameters): | |||
| ############################### | |||
|
|
|||
| alb_arn = configuration_item['arn'] | |||
| alb_client = get_client('elbv2',event); | |||
| alb_client = get_client('elbv2' , event) | |||
There was a problem hiding this comment.
space only after the comma
python/alb_ssl_policy.py
Outdated
| if ( 'SslPolicy' in l.keys()): | ||
| if(l['SslPolicy'] not in COMPLIANT_POLICY): | ||
| return 'NON_COMPLIANT' | ||
| if len(COMPLIANT_POLICY) == 0: |
There was a problem hiding this comment.
No, this is a parameter, change the function evaluate_parameter()
python/alb_ssl_policy.py
Outdated
| I want: to chase configuration of listener ssl policy of an application load balancer. | ||
| Scenarios: | ||
| Scenario 1: | ||
| Given: SslPolicy is in COMPLIANT_POLICY |
There was a problem hiding this comment.
update the entire gherkin with the new name of the parameter
python/alb_ssl_policy.py
Outdated
| | ---------------------- | --------- | -------------------------------------------------------------------------------------- | | ||
| | Parameter Name | Type | Description | | ||
| | ---------------------- | --------- | -------------------------------------------------------------------------------------- | | ||
| | ValidPolicies | Constant | The list of ssl policy name which check whether lister configred with comma separated | |
python/alb_ssl_policy.py
Outdated
| Given: CompliantPolicies has not been defined. | ||
| Then: Return NON_COMPLIANT | ||
| Scenario 4: | ||
| Given: Listner has not been used in a application load balancer. |
python/alb_ssl_policy.py
Outdated
| Then: Return COMPLIANT | ||
| Scenario 3: | ||
| Given: CompliantPolicies has not been defined. | ||
| Then: Return NON_COMPLIANT |
There was a problem hiding this comment.
This need to return compliant. if and only if, there is a SSL listener. The goal is to ensure that SSL is enabled on the ALB.
python/alb_ssl_policy.py
Outdated
| for l in listeners['Listeners']: | ||
| if 'SslPolicy' in l.keys(): | ||
| if l['SslPolicy'] not in valid_rule_parameters['ValidPolicies']: | ||
| return 'NON_COMPLIANT' |
There was a problem hiding this comment.
Use build_evaluation_from_config_item() to add an annotation to the NON_COMPLIANT to explain why to the customer
python/alb_ssl_policy.py
Outdated
|
|
||
| # for Assume Role parameter | ||
| ASSUME_ROLE_MODE = False | ||
| DEFAULT_RESOURCE_TYPE = '' |
There was a problem hiding this comment.
DEFAULT_RESOURCE_TYPE = 'AWS::LoadBalancingV2::LoadBalancer'
| In order to: apply ssl policy to listers | ||
| As: a Security Officer | ||
| I want: to chase configuration of listener ssl policy of an application load balancer. | ||
| Scenarios: |
There was a problem hiding this comment.
Add carriage return before
| | ---------------------- | --------- | -------------------------------------------------------------------------------------- | | ||
|
|
||
| Feature: | ||
| In order to: apply ssl policy to listers |
There was a problem hiding this comment.
In order to: ensure that the traffic is encrypted in transit with the proper method
| Feature: | ||
| In order to: apply ssl policy to listers | ||
| As: a Security Officer | ||
| I want: to chase configuration of listener ssl policy of an application load balancer. |
There was a problem hiding this comment.
I want: to verify that the configuration of listener ssl policy of an application load balancer is correct.
python/alb_ssl_policy.py
Outdated
| return valid_rule_parameters | ||
|
|
||
| param_list = rule_parameters['ValidPolicies'] | ||
| param_list = param_list.split(',') |
There was a problem hiding this comment.
merge this line with 138.
param_list = rule_parameters['ValidPolicies'].split(',')
| ##################################### | ||
| Rule Name: | ||
| alb_ssl_policy_check | ||
| Description: |
There was a problem hiding this comment.
Add carriage return before
| alb_ssl_policy_check | ||
| Description: | ||
| Checks that listener of Application Load Balancer has configured applicable SSL policy. | ||
| Trigger: |
There was a problem hiding this comment.
Add carriage return before
| Checks that listener of Application Load Balancer has configured applicable SSL policy. | ||
| Trigger: | ||
| Configuration change on AWS::LoadBalancingV2::LoadBalancer. | ||
| Resource Type to report on: |
There was a problem hiding this comment.
Add carriage return before
| Configuration change on AWS::LoadBalancingV2::LoadBalancer. | ||
| Resource Type to report on: | ||
| AWS::LoadBalancingV2::LoadBalancer | ||
| Rule Parameters: |
There was a problem hiding this comment.
Add carriage return before
I confirm these files are made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode)
Issue #, if available:
Description of changes: