aws - ebs-snapshot - cross-account filter - enable everyone_only (#8552)

cloud-custodian · May 11, 2023 · b807094 · b807094
1 parent 4f15613
commit b807094
Show file tree

Hide file tree

Showing 7 changed files with 155 additions and 1 deletion.
diff --git a/c7n/resources/ebs.py b/c7n/resources/ebs.py
@@ -238,12 +238,19 @@ def process(self, resources, event=None):
 
     def process_resource_set(self, client, resource_set):
         results = []
+        everyone_only = self.data.get('everyone_only', False)
         for r in resource_set:
             attrs = self.manager.retry(
                 client.describe_snapshot_attribute,
                 SnapshotId=r['SnapshotId'],
                 Attribute='createVolumePermission')['CreateVolumePermissions']
-            shared_accounts = {
+            shared_accounts = set()
+            if everyone_only:
+                for g in attrs:
+                    if g.get('Group') == 'all':
+                        shared_accounts = {g.get('Group')}
+            else:
+                shared_accounts = {
                 g.get('Group') or g.get('UserId') for g in attrs}
             delta_accounts = shared_accounts.difference(self.accounts)
             if delta_accounts:

diff --git a/...t_ebs_snapshot_set_permissions_matched_everyone_only/ec2.DescribeSnapshotAttribute_1.json b/...t_ebs_snapshot_set_permissions_matched_everyone_only/ec2.DescribeSnapshotAttribute_1.json
@@ -0,0 +1,12 @@
+{
+    "status_code": 200,
+    "data": {
+        "CreateVolumePermissions": [
+            {
+                "Group": "all"
+            }
+        ],
+        "SnapshotId": "snap-af0eb71b",
+        "ResponseMetadata": {}
+    }
+}
diff --git a/...t_ebs_snapshot_set_permissions_matched_everyone_only/ec2.DescribeSnapshotAttribute_2.json b/...t_ebs_snapshot_set_permissions_matched_everyone_only/ec2.DescribeSnapshotAttribute_2.json
@@ -0,0 +1,15 @@
+{
+    "status_code": 200,
+    "data": {
+        "CreateVolumePermissions": [
+            {
+                "UserId": "112233445566"
+            },
+            {
+                "UserId": "665544332211"
+            }
+        ],
+        "SnapshotId": "snap-0ac64f0a1f16af706",
+        "ResponseMetadata": {}
+    }
+}
diff --git a/...t_ebs_snapshot_set_permissions_matched_everyone_only/ec2.DescribeSnapshotAttribute_3.json b/...t_ebs_snapshot_set_permissions_matched_everyone_only/ec2.DescribeSnapshotAttribute_3.json
@@ -0,0 +1,8 @@
+{
+    "status_code": 200,
+    "data": {
+        "CreateVolumePermissions": [],
+        "SnapshotId": "snap-af0eb71b",
+        "ResponseMetadata": {}
+    }
+}
diff --git a/...cebo/test_ebs_snapshot_set_permissions_matched_everyone_only/ec2.DescribeSnapshots_1.json b/...cebo/test_ebs_snapshot_set_permissions_matched_everyone_only/ec2.DescribeSnapshots_1.json
@@ -0,0 +1,48 @@
+{
+    "status_code": 200,
+    "data": {
+        "Snapshots": [
+            {
+                "Description": "",
+                "Encrypted": false,
+                "OwnerId": "644160558196",
+                "Progress": "100%",
+                "SnapshotId": "snap-af0eb71b",
+                "StartTime": {
+                    "__class__": "datetime",
+                    "year": 2020,
+                    "month": 10,
+                    "day": 14,
+                    "hour": 21,
+                    "minute": 8,
+                    "second": 19,
+                    "microsecond": 177000
+                },
+                "State": "completed",
+                "VolumeId": "vol-af0eb71b",
+                "VolumeSize": 8
+            },
+            {
+                "Description": "",
+                "Encrypted": false,
+                "OwnerId": "644160558196",
+                "Progress": "100%",
+                "SnapshotId": "snap-0ac64f0a1f16af706",
+                "StartTime": {
+                    "__class__": "datetime",
+                    "year": 2020,
+                    "month": 10,
+                    "day": 14,
+                    "hour": 21,
+                    "minute": 8,
+                    "second": 19,
+                    "microsecond": 177000
+                },
+                "State": "completed",
+                "VolumeId": "vol-0309e0368c8e7c1b0",
+                "VolumeSize": 8
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}
diff --git a/...est_ebs_snapshot_set_permissions_matched_everyone_only/ec2.ModifySnapshotAttribute_1.json b/...est_ebs_snapshot_set_permissions_matched_everyone_only/ec2.ModifySnapshotAttribute_1.json
@@ -0,0 +1,6 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {}
+    }
+}
diff --git a/tests/test_ebs.py b/tests/test_ebs.py
@@ -190,6 +190,31 @@ def test_snapshot_access(self):
             {"snap-7f9496cf": ["619193117841"], "snap-af0eb71b": ["all"]},
         )
 
+    def test_snapshot_access_everyone_only(self):
+        # pre conditions, 2 snapshots one shared to a separate account, and one
+        # shared publicly. 2 non matching volumes, one not shared, one shared
+        # explicitly to its own account.
+        factory = self.replay_flight_data("test_ebs_cross_account")
+        p = self.load_policy(
+            {
+                "name": "snap-copy",
+                "resource": "ebs-snapshot",
+                "filters": [
+                    {
+                        "type": "cross-account",
+                        "everyone_only": True,
+                    },
+                ]
+            },
+            session_factory=factory,
+        )
+        resources = p.run()
+        self.assertEqual(len(resources), 1)
+        self.assertEqual(
+            {r["SnapshotId"]: r["c7n:CrossAccountViolations"] for r in resources},
+            {"snap-af0eb71b": ["all"]},
+        )
+
 
 class SnapshotDetachTest(BaseTest):
 
@@ -363,6 +388,7 @@ def test_reset(self):
             Attribute='createVolumePermission')['CreateVolumePermissions']
         assert perms == []
 
+
     def test_add(self):
         # For this test, we assume only 665544332211 has permissions,
         # and we test adding 112233445566 and removing 665544332211
@@ -431,6 +457,38 @@ def test_matched(self):
             Attribute='createVolumePermission')['CreateVolumePermissions']
         assert perms == [{"UserId": "112233445566"}]
 
+    def test_matched_everyone_only(self):
+        factory = self.replay_flight_data(
+            "test_ebs_snapshot_set_permissions_matched_everyone_only")
+        p = self.load_policy(
+            {
+                "name": "snap-copy",
+                "resource": "ebs-snapshot",
+                "filters": [
+                    {
+                        "type": "cross-account",
+                        "everyone_only": True,
+                    },
+                ],
+                "actions": [
+                    {
+                        "type": "set-permissions",
+                        "remove": "matched"
+                    }
+                ],
+            },
+            session_factory=factory,
+        )
+        p.validate()
+        resources = p.run()
+        self.assertEqual(len(resources), 1)
+        assert resources[0]['SnapshotId'] == "snap-af0eb71b"
+        client = factory().client('ec2')
+        perms = client.describe_snapshot_attribute(
+            SnapshotId=resources[0]['SnapshotId'],
+            Attribute='createVolumePermission')['CreateVolumePermissions']
+        assert perms == []
+
 
 class SnapshotVolumeFilter(BaseTest):