Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws - glue-catalog - cloud-trail mode default for api calls that don't provide ids #5841

Merged
merged 8 commits into from
Jun 8, 2020
Merged

aws - glue-catalog - cloud-trail mode default for api calls that don't provide ids #5841

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
08aa7c3
default for glue-catalog/ regional resource type using account id in …
JohnHillegass Jun 5, 2020
de32da3
glue catalog cloudtrail tests to verify it works
JohnHillegass Jun 5, 2020
4f60b9a
clean cwe
JohnHillegass Jun 5, 2020
ef739ff
Merge branch 'master' into 5837-Glue-Catalog-in-cloud-trail-mode
JohnHillegass Jun 5, 2020
d934df9
net change encryption event
JohnHillegass Jun 5, 2020
59f5d71
update tests, two scenarios
JohnHillegass Jun 5, 2020
50d72fd
Merge branch '5837-Glue-Catalog-in-cloud-trail-mode' of github.com:Jo…
JohnHillegass Jun 5, 2020
42ddabb
readability counts
JohnHillegass Jun 6, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions c7n/resources/glue.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -528,6 +528,9 @@ def _get_catalog_encryption_settings(self):
def resources(self):
return self.filter_resources(self._get_catalog_encryption_settings())

def get_resources(self, resource_ids):
return [{'CatalogId': self.config.account_id}]


@GlueDataCatalog.action_registry.register('set-encryption')
class GlueDataCatalogEncryption(BaseAction):
Expand Down
46 changes: 46 additions & 0 deletions tests/data/cwe/event-cloud-trail-catalog-put-resource-policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{
"version": "0",
"id": "4186524f-4444-4444-4444-9c149bfbbbe2",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.glue",
"account": "644160558196",
"time": "2020-06-04T15:18:28Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "qwefqffasdfdfsda",
"arn": "arn:aws:iam::644160558196:user/fake@fakeemail.com",
"accountId": "644160558196",
"accessKeyId": "1345351435",
"userName": "fake@fakeemail.com",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-04T15:06:07Z"
}
}
},
"eventTime": "2020-06-04T15:18:28Z",
"eventSource": "glue.amazonaws.com",
"eventName": "PutResourcePolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "99.99.99.99",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"policyHashCondition": "qwerwqerewqrewqr==",
"policyInJson": "{\n \"Version\" : \"2012-10-17\",\n \"Statement\" : [ {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\": {\n \"StringEquals\": {\n \"aws:PrincipalOrgID\": \"o-4amkskbcf3\"\n } \n }\n } ]\n}"
},
"responseElements": {
"policyHash": "eqwewrewqerwerewr=="
},
"requestID": "562ac246-0da8-4444-4444-7053b5ecf789",
"eventID": "1f5ed731-4444-4a5c-4444-57f55e636789",
"eventType": "AwsApiCall"
},
"debug": true
}
52 changes: 52 additions & 0 deletions tests/data/cwe/event-cloud-trail-catalog-set-encryption.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"version": "0",
"id": "b782ed03-9c34-41d8-4444-bc7c6a5e2cfd",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.glue",
"account": "644160558196",
"time": "2020-06-05T16:10:47Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "23454235342523:custodian-net-change-encryption",
"arn": "arn:aws:sts::644160558196:assumed-role/CloudCustodianRole/custodian-net-change-encryption",
"accountId": "644160558196",
"accessKeyId": "1525415421513245",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "23454235342523",
"arn": "arn:aws:iam::644160558196:role/CloudCustodianRole",
"accountId": "644160558196",
"userName": "CloudCustodianRole"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-05T16:09:41Z"
}
}
},
"eventTime": "2020-06-05T16:10:47Z",
"eventSource": "glue.amazonaws.com",
"eventName": "PutDataCatalogEncryptionSettings",
"awsRegion": "us-east-1",
"sourceIPAddress": "35.171.244.77",
"userAgent": "CloudCustodian(net-change-encryption)/0.9.2 Python/3.8.3 Linux/4.14.165-102.205.amzn2.x86_64 exec-env/AWS_Lambda_python3.8 Botocore/1.15.49",
"requestParameters": {
"dataCatalogEncryptionSettings": {
"encryptionAtRest": {
"catalogEncryptionMode": "SSE-KMS"
}
}
},
"responseElements": null,
"requestID": "b86bcd00-4444-4127-a74c-6c5f04d6534c",
"eventID": "3cda2b5f-a6c7-4c68-4444-93b0f6e1963c",
"eventType": "AwsApiCall"
},
"debug": true
}
14 changes: 14 additions & 0 deletions ...placebo/test_catalog_change_encryption_event/glue.GetDataCatalogEncryptionSettings_1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"status_code": 200,
"data": {
"DataCatalogEncryptionSettings": {
"EncryptionAtRest": {
"CatalogEncryptionMode": "DISABLED"
},
"ConnectionPasswordEncryption": {
"ReturnConnectionPasswordEncrypted": false
}
},
"ResponseMetadata": {}
}
}
15 changes: 15 additions & 0 deletions ...placebo/test_catalog_change_encryption_event/glue.GetDataCatalogEncryptionSettings_2.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"status_code": 200,
"data": {
"DataCatalogEncryptionSettings": {
"EncryptionAtRest": {
"CatalogEncryptionMode": "SSE-KMS",
"SseAwsKmsKeyId": "alias/aws/glue"
},
"ConnectionPasswordEncryption": {
"ReturnConnectionPasswordEncrypted": false
}
},
"ResponseMetadata": {}
}
}
6 changes: 6 additions & 0 deletions ...placebo/test_catalog_change_encryption_event/glue.PutDataCatalogEncryptionSettings_1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"status_code": 200,
"data": {
"ResponseMetadata": {}
}
}
28 changes: 28 additions & 0 deletions tests/data/placebo/test_catalog_change_rbp_event/glue.GetResourcePolicy_1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"status_code": 200,
"data": {
"PolicyInJson": "{\n \"Version\" : \"2012-10-17\",\n \"Statement\" : [ {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"aws:PrincipalOrgID\" : \"o-4amkskbcf3\"\n }\n }\n }, {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"aws:PrincipalOrgID\" : \"o-4amkskbcf1\"\n }\n }\n } ]\n}",
"PolicyHash": "vQI9F/KPAi+BKiDBvNPXSw==",
"CreateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 46,
"microsecond": 47000
},
"UpdateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 46,
"microsecond": 47000
},
"ResponseMetadata": {}
}
}
28 changes: 28 additions & 0 deletions tests/data/placebo/test_catalog_change_rbp_event/glue.GetResourcePolicy_2.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"status_code": 200,
"data": {
"PolicyInJson": "{\n \"Version\" : \"2012-10-17\",\n \"Statement\" : [ {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"aws:PrincipalOrgID\" : \"o-4amkskbcf3\"\n }\n }\n }, {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"aws:PrincipalOrgID\" : \"o-4amkskbcf1\"\n }\n }\n } ]\n}",
"PolicyHash": "vQI9F/KPAi+BKiDBvNPXSw==",
"CreateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 46,
"microsecond": 47000
},
"UpdateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 46,
"microsecond": 47000
},
"ResponseMetadata": {}
}
}
28 changes: 28 additions & 0 deletions tests/data/placebo/test_catalog_change_rbp_event/glue.GetResourcePolicy_3.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"status_code": 200,
"data": {
"PolicyInJson": "{\n \"Version\" : \"2012-10-17\",\n \"Statement\" : [ {\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : \"glue:*\",\n \"Resource\" : \"arn:aws:glue:us-east-1:644160558196:catalog\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"aws:PrincipalOrgID\" : \"o-4amkskbcf1\"\n }\n }\n } ]\n}",
"PolicyHash": "hfAqfsBoPt7ZUGlZjU5mMQ==",
"CreateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 52,
"microsecond": 531000
},
"UpdateTime": {
"__class__": "datetime",
"year": 2020,
"month": 6,
"day": 5,
"hour": 12,
"minute": 26,
"second": 52,
"microsecond": 531000
},
"ResponseMetadata": {}
}
}
7 changes: 7 additions & 0 deletions tests/data/placebo/test_catalog_change_rbp_event/glue.PutResourcePolicy_1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"status_code": 200,
"data": {
"PolicyHash": "hfAqfsBoPt7ZUGlZjU5mMQ==",
"ResponseMetadata": {}
}
}
100 changes: 100 additions & 0 deletions tests/test_glue.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
import time
import json
from c7n.exceptions import PolicyValidationError
from .common import event_data


class TestGlueConnections(BaseTest):
Expand Down Expand Up @@ -587,3 +588,102 @@ def test_remove_statements_validation_error(self):
"actions": [{"type": "remove-statements", "statement_ids": "matched"}],
}
)

def test_catalog_change_encryption_event(self):
session_factory = self.replay_flight_data("test_catalog_change_encryption_event")
session = session_factory()
client = session.client("glue")
before_cat_setting = client.get_data_catalog_encryption_settings()
self.assertJmes(
'DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode',
before_cat_setting,
'DISABLED'
)
self.assertJmes(
'DataCatalogEncryptionSettings.EncryptionAtRest.SseAwsKmsKeyId',
before_cat_setting,
None
)
p = self.load_policy(
{
"name": "net-change-rbp-cross-account",
"resource": "glue-catalog",
"mode": {
"type": "cloudtrail",
"role": "arn:aws:iam::644160558196:role/CloudCustodianRole",
"events": [
{
"source": "glue.amazonaws.com",
"event": "PutDataCatalogEncryptionSettings",
"ids": "userIdentity.accountId"
}
],
},
'filters': [{
'type': 'value',
'key': 'DataCatalogEncryptionSettings.EncryptionAtRest.SseAwsKmsKeyId',
'value': 'alias/skunk/trails',
'op': 'ne'},
],
"actions": [
{
"type": "set-encryption",
JohnHillegass marked this conversation as resolved.
Show resolved Hide resolved
"attributes": {
"EncryptionAtRest": {
"CatalogEncryptionMode": "SSE-KMS"
}
}
}
],
},
session_factory=session_factory,
)
p.push(event_data("event-cloud-trail-catalog-set-encryption.json"), None)
after_cat_setting = client.get_data_catalog_encryption_settings()
self.assertJmes(
'DataCatalogEncryptionSettings.EncryptionAtRest.CatalogEncryptionMode',
after_cat_setting,
'SSE-KMS'
)
self.assertJmes(
'DataCatalogEncryptionSettings.EncryptionAtRest.SseAwsKmsKeyId',
after_cat_setting,
'alias/aws/glue'
)

def test_catalog_change_rbp_event(self):
JohnHillegass marked this conversation as resolved.
Show resolved Hide resolved
session_factory = self.replay_flight_data("test_catalog_change_rbp_event")
session = session_factory()
client = session.client("glue")
before_cat_setting = client.get_resource_policy()
assert('o-4amkskbcf3' in before_cat_setting.get('PolicyInJson'))
p = self.load_policy(
{
"name": "net-change-rbp-cross-account",
"resource": "glue-catalog",
"mode": {
"type": "cloudtrail",
"role": "arn:aws:iam::644160558196:role/CloudCustodianRole",
"events": [
{
"source": "glue.amazonaws.com",
"event": "PutResourcePolicy",
"ids": "awsRegion"
}
],
},
"filters": [
{
"type": "cross-account",
"whitelist_orgids": [
"o-4amkskbcf1"
]
}
],
"actions": [{"type": "remove-statements", "statement_ids": "matched"}],
},
session_factory=session_factory,
)
p.push(event_data("event-cloud-trail-catalog-put-resource-policy.json"), None)
after_cat_setting = client.get_resource_policy()
assert('o-4amkskbcf3' not in after_cat_setting.get('PolicyInJson'))