-
Notifications
You must be signed in to change notification settings - Fork 851
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft for checking listener ssl policy on ALB #100
Conversation
python/alb_ssl_policy.py
Outdated
listeners = alb_client.describe_listeners( LoadBalancerArns = [alb_arn,], ) | ||
|
||
for l in listeners['Listeners']: | ||
if ( 'SslPolicy' in l.keys()): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
external parenthesis can be removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed parenthesis.
python/alb_ssl_policy.py
Outdated
alb_arn = configuration_item['arn'] | ||
alb_client = get_client('elbv2',event); | ||
|
||
listeners = alb_client.describe_listeners( LoadBalancerArns = [alb_arn,], ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove comma at the end
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed comma.
python/alb_ssl_policy.py
Outdated
############################### | ||
|
||
alb_arn = configuration_item['arn'] | ||
alb_client = get_client('elbv2',event); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove ; at the end
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
space between comma and variable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed comma and add space between comma and variable.
python/alb_ssl_policy.py
Outdated
|
||
for l in listeners['Listeners']: | ||
if ( 'SslPolicy' in l.keys()): | ||
if(l['SslPolicy'] not in COMPLIANT_POLICY): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be
if l['SslPolicy'] not in validated_rule_parameters['ValidPolicies']:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modified.
python/alb_ssl_policy.py
Outdated
Feature: | ||
In order to: apply ssl policy to listers | ||
As: a Security Officer | ||
I want: to chaging configuration of applicatio loac balancer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
several typo in this sections
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
corrected.
python/alb_ssl_policy.py
Outdated
Then: Return COMPLIANT | ||
Scenario 2: | ||
Given: SslPolicy is not in COMPLIANT_POLICY | ||
THEN: RETURN NON_COMPLIANT |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return NON_COMPLAINT
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
corrected.
python/alb_ssl_policy.py
Outdated
As: a Security Officer | ||
I want: to chaging configuration of applicatio loac balancer. | ||
Scenarios: | ||
Scenario 1: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a scenario if no CompliantPolicies
python/alb_ssl_policy.py
Outdated
|
||
listeners = alb_client.describe_listeners( LoadBalancerArns = [alb_arn,], ) | ||
|
||
for l in listeners['Listeners']: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if no listeners?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change the name of the parameter
python/alb_ssl_policy.py
Outdated
Then: Return NON_COMPLIANT | ||
Scenario 3: | ||
Given: CompliantPolicies has not been defined. | ||
Then: Return NOT_APPLICABLE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, this should be COMPLIANT is only you have SSL enabled.
python/alb_ssl_policy.py
Outdated
Given: CompliantPolicies has not been defined. | ||
Then: Return NOT_APPLICABLE | ||
Scenario 4: | ||
Given: Listner has not been used in a application load balancer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return NON_COMPLIANT
python/alb_ssl_policy.py
Outdated
@@ -48,6 +55,8 @@ | |||
DEFAULT_RESOURCE_TYPE = ['AWS::LoadBalancingV2::LoadBalancer'] | |||
# Pre defined policy name | |||
COMPLIANT_POLICY = ['ELBSecurityPolicy-2016-08','ELBSecurityPolicy-FS-2018-06'] | |||
# for Assume Role parametor | |||
ASSUME_ROLE_MODE = '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to be
False
python/alb_ssl_policy.py
Outdated
@@ -48,6 +55,8 @@ | |||
DEFAULT_RESOURCE_TYPE = ['AWS::LoadBalancingV2::LoadBalancer'] | |||
# Pre defined policy name | |||
COMPLIANT_POLICY = ['ELBSecurityPolicy-2016-08','ELBSecurityPolicy-FS-2018-06'] | |||
# for Assume Role parametor |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo
python/alb_ssl_policy.py
Outdated
@@ -48,6 +55,8 @@ | |||
DEFAULT_RESOURCE_TYPE = ['AWS::LoadBalancingV2::LoadBalancer'] | |||
# Pre defined policy name | |||
COMPLIANT_POLICY = ['ELBSecurityPolicy-2016-08','ELBSecurityPolicy-FS-2018-06'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this line
python/alb_ssl_policy.py
Outdated
@@ -78,14 +87,20 @@ def evaluate_compliance(event, configuration_item, valid_rule_parameters): | |||
############################### | |||
|
|||
alb_arn = configuration_item['arn'] | |||
alb_client = get_client('elbv2',event); | |||
alb_client = get_client('elbv2' , event) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
space only after the comma
python/alb_ssl_policy.py
Outdated
if ( 'SslPolicy' in l.keys()): | ||
if(l['SslPolicy'] not in COMPLIANT_POLICY): | ||
return 'NON_COMPLIANT' | ||
if len(COMPLIANT_POLICY) == 0: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, this is a parameter, change the function evaluate_parameter()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Getting better, keep iterating. Review the gherkin first, please send it to me via chime
python/alb_ssl_policy.py
Outdated
I want: to chase configuration of listener ssl policy of an application load balancer. | ||
Scenarios: | ||
Scenario 1: | ||
Given: SslPolicy is in COMPLIANT_POLICY |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update the entire gherkin with the new name of the parameter
python/alb_ssl_policy.py
Outdated
| ---------------------- | --------- | -------------------------------------------------------------------------------------- | | ||
| Parameter Name | Type | Description | | ||
| ---------------------- | --------- | -------------------------------------------------------------------------------------- | | ||
| ValidPolicies | Constant | The list of ssl policy name which check whether lister configred with comma separated | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Type is "Optional"
python/alb_ssl_policy.py
Outdated
Given: CompliantPolicies has not been defined. | ||
Then: Return NON_COMPLIANT | ||
Scenario 4: | ||
Given: Listner has not been used in a application load balancer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo
python/alb_ssl_policy.py
Outdated
Then: Return COMPLIANT | ||
Scenario 3: | ||
Given: CompliantPolicies has not been defined. | ||
Then: Return NON_COMPLIANT |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This need to return compliant. if and only if, there is a SSL listener. The goal is to ensure that SSL is enabled on the ALB.
python/alb_ssl_policy.py
Outdated
for l in listeners['Listeners']: | ||
if 'SslPolicy' in l.keys(): | ||
if l['SslPolicy'] not in valid_rule_parameters['ValidPolicies']: | ||
return 'NON_COMPLIANT' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use build_evaluation_from_config_item() to add an annotation to the NON_COMPLIANT to explain why to the customer
python/alb_ssl_policy.py
Outdated
|
||
# for Assume Role parameter | ||
ASSUME_ROLE_MODE = False | ||
DEFAULT_RESOURCE_TYPE = '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DEFAULT_RESOURCE_TYPE = 'AWS::LoadBalancingV2::LoadBalancer'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few changes to do, almost there!
In order to: apply ssl policy to listers | ||
As: a Security Officer | ||
I want: to chase configuration of listener ssl policy of an application load balancer. | ||
Scenarios: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add carriage return before
| ---------------------- | --------- | -------------------------------------------------------------------------------------- | | ||
|
||
Feature: | ||
In order to: apply ssl policy to listers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In order to: ensure that the traffic is encrypted in transit with the proper method
Feature: | ||
In order to: apply ssl policy to listers | ||
As: a Security Officer | ||
I want: to chase configuration of listener ssl policy of an application load balancer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I want: to verify that the configuration of listener ssl policy of an application load balancer is correct.
python/alb_ssl_policy.py
Outdated
return valid_rule_parameters | ||
|
||
param_list = rule_parameters['ValidPolicies'] | ||
param_list = param_list.split(',') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
merge this line with 138.
param_list = rule_parameters['ValidPolicies'].split(',')
##################################### | ||
Rule Name: | ||
alb_ssl_policy_check | ||
Description: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add carriage return before
alb_ssl_policy_check | ||
Description: | ||
Checks that listener of Application Load Balancer has configured applicable SSL policy. | ||
Trigger: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add carriage return before
Checks that listener of Application Load Balancer has configured applicable SSL policy. | ||
Trigger: | ||
Configuration change on AWS::LoadBalancingV2::LoadBalancer. | ||
Resource Type to report on: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add carriage return before
Configuration change on AWS::LoadBalancingV2::LoadBalancer. | ||
Resource Type to report on: | ||
AWS::LoadBalancingV2::LoadBalancer | ||
Rule Parameters: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add carriage return before
I confirm these files are made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode)
Issue #, if available:
Description of changes: