Skip to content

Commit

Permalink
aws - glue-catalog - cloud-trail mode default for api calls that don'…
Browse files Browse the repository at this point in the history 
…t provide ids (#5841)
  • Loading branch information
@JohnHillegass
JohnHillegass committed Jun 8, 2020
1 parent 1ea032d commit 83e5cfd
Show file tree
Hide file tree
Showing 11 changed files with 327 additions and 0 deletions.
3 changes: 3 additions & 0 deletions c7n/resources/glue.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -528,6 +528,9 @@ def _get_catalog_encryption_settings(self):
def resources(self):
return self.filter_resources(self._get_catalog_encryption_settings())

def get_resources(self, resource_ids):
return [{'CatalogId': self.config.account_id}]


@GlueDataCatalog.action_registry.register('set-encryption')
class GlueDataCatalogEncryption(BaseAction):
Expand Down
46 changes: 46 additions & 0 deletions tests/data/cwe/event-cloud-trail-catalog-put-resource-policy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{
"version": "0",
"id": "4186524f-4444-4444-4444-9c149bfbbbe2",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.glue",
"account": "644160558196",
"time": "2020-06-04T15:18:28Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "qwefqffasdfdfsda",
"arn": "arn:aws:iam::644160558196:user/fake@fakeemail.com",
"accountId": "644160558196",
"accessKeyId": "1345351435",
"userName": "fake@fakeemail.com",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-04T15:06:07Z"
}
}
},
"eventTime": "2020-06-04T15:18:28Z",
"eventSource": "glue.amazonaws.com",
"eventName": "PutResourcePolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "99.99.99.99",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"policyHashCondition": "qwerwqerewqrewqr==",
"policyInJson": "{\n \"Version\" : \"2012-10-17\",\n \"Statement\" : [ {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\": {\n \"StringEquals\": {\n \"aws:PrincipalOrgID\": \"o-4amkskbcf3\"\n } \n }\n } ]\n}"
},
"responseElements": {
"policyHash": "eqwewrewqerwerewr=="
},
"requestID": "562ac246-0da8-4444-4444-7053b5ecf789",
"eventID": "1f5ed731-4444-4a5c-4444-57f55e636789",
"eventType": "AwsApiCall"
},
"debug": true
}
52 changes: 52 additions & 0 deletions tests/data/cwe/event-cloud-trail-catalog-set-encryption.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"version": "0",
"id": "b782ed03-9c34-41d8-4444-bc7c6a5e2cfd",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.glue",
"account": "644160558196",
"time": "2020-06-05T16:10:47Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "23454235342523:custodian-net-change-encryption",
"arn": "arn:aws:sts::644160558196:assumed-role/CloudCustodianRole/custodian-net-change-encryption",
"accountId": "644160558196",
"accessKeyId": "1525415421513245",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "23454235342523",
"arn": "arn:aws:iam::644160558196:role/CloudCustodianRole",
"accountId": "644160558196",
"userName": "CloudCustodianRole"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-05T16:09:41Z"
}
}
},
"eventTime": "2020-06-05T16:10:47Z",
"eventSource": "glue.amazonaws.com",
"eventName": "PutDataCatalogEncryptionSettings",
"awsRegion": "us-east-1",
"sourceIPAddress": "35.171.244.77",
"userAgent": "CloudCustodian(net-change-encryption)/0.9.2 Python/3.8.3 Linux/4.14.165-102.205.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.15.49",
"requestParameters": {
"dataCatalogEncryptionSettings": {
"encryptionAtRest": {
"catalogEncryptionMode": "SSE-KMS"
}
}
},
"responseElements": null,
"requestID": "b86bcd00-4444-4127-a74c-6c5f04d6534c",
"eventID": "3cda2b5f-a6c7-4c68-4444-93b0f6e1963c",
"eventType": "AwsApiCall"
},
"debug": true
}
14 changes: 14 additions & 0 deletions ...placebo/test_catalog_change_encryption_event/glue.GetDataCatalogEncryptionSettings_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"status_code": 200,
"data": {
"DataCatalogEncryptionSettings": {
"EncryptionAtRest": {
"CatalogEncryptionMode": "DISABLED"
},
"ConnectionPasswordEncryption": {
"ReturnConnectionPasswordEncrypted": false
}
},
"ResponseMetadata": {}
}
}
15 changes: 15 additions & 0 deletions ...placebo/test_catalog_change_encryption_event/glue.GetDataCatalogEncryptionSettings_2.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"status_code": 200,
"data": {
"DataCatalogEncryptionSettings": {
"EncryptionAtRest": {
"CatalogEncryptionMode": "SSE-KMS",
"SseAwsKmsKeyId": "alias/aws/glue"
},
"ConnectionPasswordEncryption": {
"ReturnConnectionPasswordEncrypted": false
}
},
"ResponseMetadata": {}
}
}
6 changes: 6 additions & 0 deletions ...placebo/test_catalog_change_encryption_event/glue.PutDataCatalogEncryptionSettings_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"status_code": 200,
"data": {
"ResponseMetadata": {}
}
}
28 changes: 28 additions & 0 deletions tests/data/placebo/test_catalog_change_rbp_event/glue.GetResourcePolicy_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"status_code": 200,
"data": {
"PolicyInJson": "{\n \"Version\" : \"2012-10-17\",\n \"Statement\" : [ {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"aws:PrincipalOrgID\" : \"o-4amkskbcf3\"\n }\n }\n }, {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"aws:PrincipalOrgID\" : \"o-4amkskbcf1\"\n }\n }\n } ]\n}",
"PolicyHash": "vQI9F/KPAi+BKiDBvNPXSw==",
"CreateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 46,
"microsecond": 47000
},
"UpdateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 46,
"microsecond": 47000
},
"ResponseMetadata": {}
}
}
28 changes: 28 additions & 0 deletions tests/data/placebo/test_catalog_change_rbp_event/glue.GetResourcePolicy_2.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"status_code": 200,
"data": {
"PolicyInJson": "{\n \"Version\" : \"2012-10-17\",\n \"Statement\" : [ {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"aws:PrincipalOrgID\" : \"o-4amkskbcf3\"\n }\n }\n }, {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"aws:PrincipalOrgID\" : \"o-4amkskbcf1\"\n }\n }\n } ]\n}",
"PolicyHash": "vQI9F/KPAi+BKiDBvNPXSw==",
"CreateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 46,
"microsecond": 47000
},
"UpdateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 46,
"microsecond": 47000
},
"ResponseMetadata": {}
}
}
28 changes: 28 additions & 0 deletions tests/data/placebo/test_catalog_change_rbp_event/glue.GetResourcePolicy_3.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"status_code": 200,
"data": {
"PolicyInJson": "{\n \"Version\" : \"2012-10-17\",\n \"Statement\" : [ {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"aws:PrincipalOrgID\" : \"o-4amkskbcf1\"\n }\n }\n } ]\n}",
"PolicyHash": "hfAqfsBoPt7ZUGlZjU5mMQ==",
"CreateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 52,
"microsecond": 531000
},
"UpdateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 52,
"microsecond": 531000
},
"ResponseMetadata": {}
}
}
7 changes: 7 additions & 0 deletions tests/data/placebo/test_catalog_change_rbp_event/glue.PutResourcePolicy_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"status_code": 200,
"data": {
"PolicyHash": "hfAqfsBoPt7ZUGlZjU5mMQ==",
"ResponseMetadata": {}
}
}
100 changes: 100 additions & 0 deletions tests/test_glue.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
import time
import json
from c7n.exceptions import PolicyValidationError
from .common import event_data


class TestGlueConnections(BaseTest):
Expand Down Expand Up @@ -587,3 +588,102 @@ def test_remove_statements_validation_error(self):
"actions": [{"type": "remove-statements", "statement_ids": "matched"}],
}
)

def test_catalog_change_encryption_event(self):
session_factory = self.replay_flight_data("test_catalog_change_encryption_event")
session = session_factory()
client = session.client("glue")
before_cat_setting = client.get_data_catalog_encryption_settings()
self.assertJmes(
'DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode',
before_cat_setting,
'DISABLED'
)
self.assertJmes(
'DataCatalogEncryptionSettings.EncryptionAtRest.SseAwsKmsKeyId',
before_cat_setting,
None
)
p = self.load_policy(
{
"name": "net-change-rbp-cross-account",
"resource": "glue-catalog",
"mode": {
"type": "cloudtrail",
"role": "arn:aws:iam::644160558196:role/CloudCustodianRole",
"events": [
{
"source": "glue.amazonaws.com",
"event": "PutDataCatalogEncryptionSettings",
"ids": "userIdentity.accountId"
}
],
},
'filters': [{
'type': 'value',
'key': 'DataCatalogEncryptionSettings.EncryptionAtRest.SseAwsKmsKeyId',
'value': 'alias/skunk/trails',
'op': 'ne'},
],
"actions": [
{
"type": "set-encryption",
"attributes": {
"EncryptionAtRest": {
"CatalogEncryptionMode": "SSE-KMS"
}
}
}
],
},
session_factory=session_factory,
)
p.push(event_data("event-cloud-trail-catalog-set-encryption.json"), None)
after_cat_setting = client.get_data_catalog_encryption_settings()
self.assertJmes(
'DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode',
after_cat_setting,
'SSE-KMS'
)
self.assertJmes(
'DataCatalogEncryptionSettings.EncryptionAtRest.SseAwsKmsKeyId',
after_cat_setting,
'alias/aws/glue'
)

def test_catalog_change_rbp_event(self):
session_factory = self.replay_flight_data("test_catalog_change_rbp_event")
session = session_factory()
client = session.client("glue")
before_cat_setting = client.get_resource_policy()
assert('o-4amkskbcf3' in before_cat_setting.get('PolicyInJson'))
p = self.load_policy(
{
"name": "net-change-rbp-cross-account",
"resource": "glue-catalog",
"mode": {
"type": "cloudtrail",
"role": "arn:aws:iam::644160558196:role/CloudCustodianRole",
"events": [
{
"source": "glue.amazonaws.com",
"event": "PutResourcePolicy",
"ids": "awsRegion"
}
],
},
"filters": [
{
"type": "cross-account",
"whitelist_orgids": [
"o-4amkskbcf1"
]
}
],
"actions": [{"type": "remove-statements", "statement_ids": "matched"}],
},
session_factory=session_factory,
)
p.push(event_data("event-cloud-trail-catalog-put-resource-policy.json"), None)
after_cat_setting = client.get_resource_policy()
assert('o-4amkskbcf3' not in after_cat_setting.get('PolicyInJson'))

0 comments on commit 83e5cfd

Please sign in to comment.